Description of problem: logwatch is reporting: --------------------- SSHD Begin ------------------------ Illegal users from: undef: 5 times ---------------------- SSHD End ------------------------- when my /var/log/secure has entries such as: Jan 18 18:21:52 raptor sshd[8024]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.edu user=root Jan 18 18:21:54 raptor sshd[8024]: Failed password for root from 10.132.4.251 port 65274 ssh2 Jan 19 00:22:04 raptor sshd[8025]: Connection closed by 10.132.4.251 Jan 18 18:22:04 raptor sshd[8045]: Invalid user cisco from 10.132.4.251 Jan 19 00:22:04 raptor sshd[8046]: input_userauth_request: invalid user cisco Jan 18 18:22:04 raptor sshd[8045]: pam_unix(sshd:auth): check pass; user unknown Jan 18 18:22:04 raptor sshd[8045]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.edu Jan 18 18:22:06 raptor sshd[8045]: Failed password for invalid user cisco from 10.132.4.251 port 51254 ssh2 Jan 19 00:22:16 raptor sshd[8046]: Connection closed by 10.132.4.251 Jan 18 18:22:17 raptor unix_chkpwd[8061]: password check failed for user (root) Jan 18 18:22:17 raptor sshd[8059]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.edu user=root Jan 18 18:22:19 raptor sshd[8059]: Failed password for root from 10.132.4.251 port 53225 ssh2 Jan 19 00:22:29 raptor sshd[8060]: Connection closed by 10.132.4.251 Jan 18 18:22:29 raptor sshd[8075]: Invalid user cisco from 10.132.4.251 Jan 19 00:22:29 raptor sshd[8076]: input_userauth_request: invalid user cisco Jan 18 18:22:29 raptor sshd[8075]: Failed none for invalid user cisco from 10.132.4.251 port 55288 ssh2 Jan 19 00:22:29 raptor sshd[8076]: Connection closed by 10.132.4.251 Version-Release number of selected component (if applicable): logwatch-7.3.6-71.20110203svn25.fc15.noarch How reproducible: every time these invalid users show up in my /var/log/secure Steps to Reproduce: 1.wait until the invalid users show up in /var/log/secure 2.wait for logwatch to run 3. Actual results: see description Expected results: --------------------- SSHD Begin ------------------------ Illegal users from: 10.132.4.251: 5 times ---------------------- SSHD End ------------------------- Additional info:
This still occurs in Fedora 16 as well. The cause is the match to the line: input_userauth_request: invalid user cisco In the output you should see both: Illegal users from: undef: 5 times 10.132.4.251: 5 times which are reporting the same user but two different messages by sshd.
Created attachment 568280 [details] Logwatch sshd patch Sshd patch against logwatch packaged in F16.
Frank, could you please take a look at the patch if it makes sense to fix it like that?
Jan, I'm not sure that the lines always occur sequentially in the log file. If they don't then $host may not relate to that particular message. My opinion is that we should just suppress the additional message, but again, I'm not sure if there is an issue in older versions of ssh, which may not have generated the full message.
Message "Invalid user %.100s from %.100s"' is always followed by "input_userauth_request: invalid user %s" message, but not vice versa. It should be enough to count number of messages "Invalid user ..." and "input_userauth_request: invalid user...". If numbers differs, then the difference will be marked as "undef from".
Created attachment 580744 [details] Logwatch sshd patch Another try to patch this. This patch should be behaving correctly in all possibilities.
logwatch-7.4.0-11.20120229svn100.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/logwatch-7.4.0-11.20120229svn100.fc17
logwatch-7.4.0-12.20120229svn100.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/logwatch-7.4.0-12.20120229svn100.fc16
Package logwatch-7.4.0-12.20120229svn100.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing logwatch-7.4.0-12.20120229svn100.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-7541/logwatch-7.4.0-12.20120229svn100.fc16 then log in and leave karma (feedback).
logwatch-7.4.0-12.20120229svn100.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
logwatch-7.4.0-11.20120229svn100.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.