Red Hat Bugzilla – Bug 227805
New sshd logs not processed correctly
Last modified: 2010-10-22 08:54:38 EDT
+++ This bug was initially created as a clone of Bug #139606 +++ From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10.1 Description of problem: FC3 uses openssh-3.9p1-7. The logs are in a slightly different format, so some messages are lumped into **Unmatched Entries** Version-Release number of selected component (if applicable): logwatch-5.2.2-1 How reproducible: Always Steps to Reproduce: 1. Run logwatch against openssh-3.9p1-7 that contains Invalid user and Failed password lines Actual Results: **Unmatched Entries** Invalid user test from ::ffff:220.70.167.67 Failed password for invalid user test from ::ffff:220.70.167.67 port 33205 ssh2 Invalid user guest from ::ffff:220.70.167.67 Failed password for invalid user guest from ::ffff:220.70.167.67 port 33490 ssh2 Expected Results: Illegal users from these: test/password from ::ffff:220.70.167.67: 1 Time(s) guest/password from ::ffff:220.70.167.67: 1 Time(s) Failed logins from these: test/password from ::ffff:220.70.167.67: 1 Time(s) guest/password from ::ffff:220.70.167.67: 1 Time(s) -- Additional comment from djk@cyber.com.au on 2005-05-20 20:46 EST -- It looks like this should be fixed in logwatch 6.0.1 shipped with FC4 test3. (I have the same problem with FC3, and get logs of unmatched entries.) -- Additional comment from varekova@redhat.com on 2005-06-24 07:12 EST -- This problem is fixed in the current release.
Unfortunately it's not fixed in RHEL4 which still has logwatch 5.2.2. I'm not sure but it may only have become a problem since openssh has been updated by https://rhn.redhat.com/errata/RHSA-2006-0738.html or https://rhn.redhat.com/errata/RHSA-2006-0697.html or a similar previous update; I have a system with openssh 3.9p1-8.RHEL4.15 which does not appear to exhibit this issue. I may be wrong though.
Created attachment 149103 [details] proposed patch for 5.2.2
That looks like a good start, but here's a sample of my logs: Invalid user thisisnotyourexploit from ::ffff:219.224.99.234 input_userauth_request: invalid user thisisnotyourexploit Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234 port 17487 ssh2 Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234 port 17487 ssh2 Invalid user 2qjj4toi from ::ffff:219.224.99.234 input_userauth_request: invalid user 2qjj4toi Failed password for invalid user 2qjj4toi from ::ffff:219.224.99.234 port 20660 ssh2 and logwatch reports all of these as unmatched, I think perhaps s/illegal/invalid/ in the next few lines after the above patch and this may be licked :-)
Created attachment 152989 [details] Extended patch It's been working for me since my previous message
*** Bug 204110 has been marked as a duplicate of this bug. ***
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
I get way to many of these unmatched triplets in 5.1; updating to scripts/services/sshd from http://www2.logwatch.org:81/ cleared them up as a workaround: Failed password for invalid user box from ::ffff:219.94.147.174 port 56608 ssh2 Invalid user ns from ::ffff:219.94.147.174 input_userauth_request: invalid user ns Failed password for invalid user ns from ::ffff:219.94.147.174 port 56938 ssh2 Invalid user nameserver from ::ffff:219.94.147.174 input_userauth_request: invalid user nameserver Failed password for invalid user nameserver from ::ffff:219.94.147.174 port 57287 ssh2 Invalid user hosting from ::ffff:219.94.147.174 input_userauth_request: invalid user hosting
Sorry, the snippet for #15 was from RHEL4. The (single) recurring error line from 5.1 which was fixed with the CVS HEAD is: pam_succeed_if(sshd:auth): error retrieving information about user wolfgang : 1 time(s) pam_succeed_if(sshd:auth): error retrieving information about user rpargas : 1 time(s) pam_succeed_if(sshd:auth): error retrieving information about user festival : 1 time(s) pam_succeed_if(sshd:auth): error retrieving information about user lebedev : 1 time(s) pam_succeed_if(sshd:auth): error retrieving information about user concha : 1 time(s)
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0750.html