diff --git a/security/logcheck/Makefile b/security/logcheck/Makefile index b6581c29b240..4f25c9303239 100644 --- a/security/logcheck/Makefile +++ b/security/logcheck/Makefile @@ -1,110 +1,111 @@ PORTNAME= logcheck DISTVERSION= 1.4.6 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= DEBIAN_POOL DISTNAME= ${PORTNAME}_${PORTVERSION} MAINTAINER= yasu@FreeBSD.org COMMENT= Auditing tool for system logs on Unix boxes WWW= https://salsa.debian.org/debian/logcheck LICENSE= GPLv2+ LICENSE_FILE= ${WRKSRC}/LICENSE BUILD_DEPENDS= docbook-to-man>0:textproc/docbook-to-man RUN_DEPENDS= bash:shells/bash \ lockfile-create:sysutils/lockfile-progs \ mime-construct:mail/mime-construct # Enable Perl dependency for logtail script USES= perl5 shebangfix tar:xz SHEBANG_FILES= src/detectrotate/*.dtr src/logcheck src/logtail src/logtail2 BINMODE= 755 SUB_FILES= pkg-deinstall pkg-install pkg-message SUB_LIST+= CRON=${PORT_OPTIONS:MCRON} \ DBDIR=${DBDIR} \ LOGCHECK_GROUP=${LOGCHECK_GROUP} \ LOGCHECK_USER=${LOGCHECK_USER} WRKSRC= ${WRKDIR}/${PORTNAME} USERS= ${LOGCHECK_USER} GROUPS= ${LOGCHECK_GROUP} PLIST_SUB+= CHGRP=${CHGRP} \ CHMOD=${CHMOD} \ DBDIR=${DBDIR} \ FIND=${FIND} \ LOGCHECK_GROUP=${LOGCHECK_GROUP} \ LOGCHECK_USER=${LOGCHECK_USER} \ RUNDIR=${RUNDIR} PORTDOCS= ${DOCS:T} OPTIONS_DEFINE= CRON DOCS EXAMPLES OPTIONS_DEFAULT= CRON CRON_DESC= Install cron script automatically # None. portlint compliance BASEDIR?= CONFIG_DIRS= cracking.d ignore.d.paranoid ignore.d.server \ ignore.d.workstation violations.d violations.ignore.d DBDIR= ${BASEDIR}/var/db/${PORTNAME} DOCS= AUTHORS CHANGES CREDITS TODO docs/README* LOGCHECK_GROUP= ${LOGCHECK_USER} LOGCHECK_USER= logcheck MAN1_FILES= logcheck-test.1 MAN8_FILES= logcheck.8 logtail.8 logtail2.8 REINPLACE_FILES= debian/logcheck.cron.d docs/logcheck.sgml \ docs/logtail2.8 docs/README.logcheck \ docs/README.logcheck-database docs/README.logtail \ etc/logcheck.conf etc/logcheck.logfiles src/logcheck \ src/logtail2 RUNDIR= ${BASEDIR}/var/run/${PORTNAME} .include do-build: .for file in ${REINPLACE_FILES} ${REINPLACE_CMD} ${_SUB_LIST_TEMP} ${WRKSRC}/${file} .endfor docbook-to-man ${WRKSRC}/docs/logcheck.sgml > ${WRKSRC}/docs/logcheck.8 ${FIND} ${WRKSRC} -type f \( -name \*.orig -o -name \*.bak \) -delete do-install: @${MKDIR} ${STAGEDIR}${DATADIR}/detectrotate \ ${STAGEDIR}${DBDIR} \ ${STAGEDIR}${ETCDIR} \ ${STAGEDIR}${ETCDIR}/logcheck.logfiles.d \ ${STAGEDIR}${RUNDIR} ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck-test ${STAGEDIR}${PREFIX}/bin ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${STAGEDIR}${PREFIX}/sbin ${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${STAGEDIR}${PREFIX}/sbin ${INSTALL_SCRIPT} ${WRKSRC}/src/logtail2 ${STAGEDIR}${PREFIX}/sbin ${INSTALL_DATA} ${WRKSRC}/etc/logcheck.conf \ ${STAGEDIR}${ETCDIR}/logcheck.conf.sample ${INSTALL_DATA} ${WRKSRC}/etc/logcheck.logfiles \ ${STAGEDIR}${ETCDIR}/ ${INSTALL_DATA} ${WRKSRC}/etc/logcheck.logfiles.d/syslog.logfiles \ ${STAGEDIR}${ETCDIR}/logcheck.logfiles.d/syslog.logfiles.sample .for i in ${CONFIG_DIRS} @${MKDIR} ${STAGEDIR}${ETCDIR}/${i} ${INSTALL_DATA} ${WRKSRC}/rulefiles/linux/${i}/* \ ${STAGEDIR}${ETCDIR}/${i} .endfor ${INSTALL_DATA} ${WRKSRC}/src/detectrotate/*.dtr \ ${STAGEDIR}${DATADIR}/detectrotate .for i in ${MAN1_FILES} ${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${PREFIX}/share/man/man1 .endfor .for i in ${MAN8_FILES} ${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${PREFIX}/share/man/man8 .endfor do-install-DOCS-on: @${MKDIR} ${STAGEDIR}${DOCSDIR} cd ${WRKSRC} && ${INSTALL_DATA} ${DOCS} ${STAGEDIR}${DOCSDIR} do-install-EXAMPLES-on: @${MKDIR} ${STAGEDIR}${EXAMPLESDIR} ${INSTALL_DATA} ${WRKSRC}/debian/logcheck.cron.d \ ${STAGEDIR}${EXAMPLESDIR}/crontab.in .include diff --git a/security/logcheck/files/patch-rulefiles_linux_ignore.d.paranoid_ssh b/security/logcheck/files/patch-rulefiles_linux_ignore.d.paranoid_ssh new file mode 100644 index 000000000000..6b8987a2c2fc --- /dev/null +++ b/security/logcheck/files/patch-rulefiles_linux_ignore.d.paranoid_ssh @@ -0,0 +1,10 @@ +--- rulefiles/linux/ignore.d.paranoid/ssh.orig 2025-08-06 20:24:39 UTC ++++ rulefiles/linux/ignore.d.paranoid/ssh +@@ -1,5 +1,5 @@ + # https://sources.debian.org/src/pam/1.5.3-7/modules/pam_unix/pam_unix_sess.c/#L100 +-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[0-9]+\]: pam_[[:alnum:]]+\(sshd?:session\): session opened for user [^[:space:]]+\(uid=[0-9]+\) by \(uid=[0-9]+\)$ ++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: pam_[[:alnum:]]+\(sshd?:session\): session opened for user [^[:space:]]+\(uid=[0-9]+\) by \(uid=[0-9]+\)$ + + # https://sources.debian.org/src/pam/1.5.3-7/modules/pam_unix/pam_unix_sess.c/#L130 +-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[0-9]+\]: pam_[[:alnum:]]+\(sshd?:session\): session closed for user [^[:space:]]+$ ++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)\[[0-9]+\]: pam_[[:alnum:]]+\(sshd?:session\): session closed for user [^[:space:]]+$ diff --git a/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_ssh b/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_ssh new file mode 100644 index 000000000000..ce4fbbc0d9f5 --- /dev/null +++ b/security/logcheck/files/patch-rulefiles_linux_ignore.d.server_ssh @@ -0,0 +1,147 @@ +--- rulefiles/linux/ignore.d.server/ssh.orig 2025-08-06 20:24:39 UTC ++++ rulefiles/linux/ignore.d.server/ssh +@@ -2,108 +2,108 @@ + # gssapi-keyex is added by https://salsa.debian.org/ssh-team/openssh/-/blob/master/debian/patches/gssapi.patch -- this may be moved to a different package in future! + # sshd_config(5) lists: gssapi-with-mic,hostbased, keyboard-interactive, none, password, publickey + +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted (gssapi(-with-mic|-keyex)?|password|publickey|keyboard-interactive/pam|hostbased) for [^[:space:]]+ from [.:[:xdigit:]]+ port [[:digit:]]+ ssh2(: (RSA|ECDSA|ED25519) (SHA256:[0-9a-zA-Z+/=]{43}|(MD5:)?([[:xdigit:]]{2}:){15}[[:xdigit:]]{2}))?$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: Accepted (gssapi(-with-mic|-keyex)?|password|publickey|keyboard-interactive/pam|hostbased) for [^[:space:]]+ from [.:[:xdigit:]]+ port [[:digit:]]+ ssh2(: (RSA|ECDSA|ED25519) (SHA256:[0-9a-zA-Z+/=]{43}|(MD5:)?([[:xdigit:]]{2}:){15}[[:xdigit:]]{2}))?$ + + # https://salsa.debian.org/ssh-team/openssh/-/blob/master/gss-serv-krb5.c#L103 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Authorized to [^[:space:]]+, krb5 principal [^[:space:]]+ \(krb5_kuserok\)$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: Authorized to [^[:space:]]+, krb5 principal [^[:space:]]+ \(krb5_kuserok\)$ + + # possibly https://salsa.debian.org/ssh-team/openssh/-/blob/master/packet.c#L1985 and #L1508 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Bad packet length [[:digit:]]+\.$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: Disconnecting: Bad packet length [[:digit:]]+\.$ + # # possibly https://salsa.debian.org/ssh-team/openssh/-/blob/master/packet.c#L1586 (via #L1985) +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Corrupted MAC on input\.$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: Disconnecting: Corrupted MAC on input\.$ + + # https://salsa.debian.org/ssh-team/openssh/-/blob/master/packet.c#L1735 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:xdigit:]]+ port [[:digit:]]+:[[:digit:]]+: .+$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: Received disconnect from [.:[:xdigit:]]+ port [[:digit:]]+:[[:digit:]]+: .+$ + + # https://salsa.debian.org/ssh-team/openssh/-/blob/master/packet.c#1912 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from ((invalid|authenticating) )?(user [^[:space:]]+ )?[.:[:xdigit:]]+ port [[:digit:]]+( \[preauth\])?$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: Disconnected from ((invalid|authenticating) )?(user [^[:space:]]+ )?[.:[:xdigit:]]+ port [[:digit:]]+( \[preauth\])?$ + + # https://salsa.debian.org/ssh-team/openssh/-/blob/master/packet.c#1905 and 1906 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection (closed|reset) by ((invalid|authenticating) )?(user [^[:space:]]+ )?[.:[:xdigit:]]+ port [[:digit:]]+( \[preauth\])?$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: Connection (closed|reset) by ((invalid|authenticating) )?(user [^[:space:]]+ )?[.:[:xdigit:]]+ port [[:digit:]]+( \[preauth\])?$ + ^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Server listening on [.:[:xdigit:]]+ port [[:digit:]]+\.$ + + ## packet.c#1927 (logdie("Unable to negotiate with %s: %s. "...)) + # offer is something like diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 or ecdsa-sha2-nistp256-cert-v01@openssh.com +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Unable to negotiate with [.:[:xdigit:]]+ port [[:digit:]]+: no matching (key exchange|host key) method found\. Their offer: [[:alnum:]@.,-]+ \[preauth\]$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: Unable to negotiate with [.:[:xdigit:]]+ port [[:digit:]]+: no matching (key exchange|host key) method found\. Their offer: [[:alnum:]@.,-]+ \[preauth\]$ + + # packet.c#L133 (message is at ssherr.c#L87) +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: ssh_dispatch_run_fatal: Connection from user [^[:space:]]+ [.:[:xdigit:]]+ port [[:digit:]]+: message authentication code incorrect$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: ssh_dispatch_run_fatal: Connection from user [^[:space:]]+ [.:[:xdigit:]]+ port [[:digit:]]+: message authentication code incorrect$ + + # possibly https://salsa.debian.org/ssh-team/openssh/-/blob/master/auth.c#L344 (via packet.c#L1985) +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for [^[:space:]]* \[preauth\]$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for [^[:space:]]* \[preauth\]$ + + # https://salsa.debian.org/ssh-team/openssh/-/blob/master/auth.c#L290-297 + # 'invalid user' and UNKNOWN can be returned by ssh_remote_ipaddr() - see packet.c +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password|none) for (invalid user )?[^[:space:]]+ from ([.:[:xdigit:]]+|UNKNOWN) port [[:digit:]]+ ssh2$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password|none) for (invalid user )?[^[:space:]]+ from ([.:[:xdigit:]]+|UNKNOWN) port [[:digit:]]+ ssh2$ + + # https://salsa.debian.org/ssh-team/openssh/-/blob/master/auth.c#L494 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user [^[:space:]]+ from ([.:[:xdigit:]]+|UNKNOWN) port [[:digit:]]+$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: Invalid user [^[:space:]]+ from ([.:[:xdigit:]]+|UNKNOWN) port [[:digit:]]+$ + + # auth.c #L286 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Postponed keyboard-interactive(/pam)? for (invalid user )?[^[:space:]]+ from [.:[:xdigit:]]+ port [[:digit:]]+ ssh2( \[preauth\])?$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: Postponed keyboard-interactive(/pam)? for (invalid user )?[^[:space:]]+ from [.:[:xdigit:]]+ port [[:digit:]]+ ssh2( \[preauth\])?$ + + # not found in code? +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user [^[:space:]]+ \[preauth\]$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: input_userauth_request: invalid user [^[:space:]]+ \[preauth\]$ + + # https://salsa.debian.org/ssh-team/openssh/-/blob/master/auth.c#L157-158 and #L185-186 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [^[:space:]]+ from [-_.[:alnum:]]+ not allowed because (listed in Deny|not listed in Allow)Users$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: User [^[:space:]]+ from [-_.[:alnum:]]+ not allowed because (listed in Deny|not listed in Allow)Users$ + + #https://salsa.debian.org/ssh-team/openssh/-/blob/master/auth.c#L208-209 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [^[:space:]]+ from [-_.[:alnum:]]+ not allowed because none of user's groups are listed in AllowGroups$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: User [^[:space:]]+ from [-_.[:alnum:]]+ not allowed because none of user's groups are listed in AllowGroups$ + + #' https://salsa.debian.org/ssh-team/openssh/-/blob/master/auth.c#L195-196 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [^[:space:]]+ from [-_.[:alnum:]]+ not allowed because a group is listed in DenyGroups$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: User [^[:space:]]+ from [-_.[:alnum:]]+ not allowed because a group is listed in DenyGroups$ + + # not found - auth_pam.c#L397 is close (but wont match without a ":" after "PAM") +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: PAM pam_putenv: delete non-existent entry; [[:alnum:]]+$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: PAM pam_putenv: delete non-existent entry; [[:alnum:]]+$ + + # canohost.c#L85 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Nasty PTR record "[.:[:xdigit:]]+" is set up for [.:[:xdigit:]]+, ignoring$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: Nasty PTR record "[.:[:xdigit:]]+" is set up for [.:[:xdigit:]]+, ignoring$ + + # possibly from auth-shadow.c#L96? think you would want to know if this was happening +-#^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Could not get shadow information for NOUSER$ ++#^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: error: Could not get shadow information for NOUSER$ + + # sshd.c#L380 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Timeout before authentication for [.:[:xdigit:]]+ port [[:digit:]]+$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: fatal: Timeout before authentication for [.:[:xdigit:]]+ port [[:digit:]]+$ + + # sshd.c#L977 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: recv_rexec_state: ssh_msg_recv failed$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: fatal: recv_rexec_state: ssh_msg_recv failed$ + + # eg from auth2-pubkey.c#L291 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: userauth_pubkey: send packet: Connection reset by peer \[preauth\]$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: fatal: userauth_pubkey: send packet: Connection reset by peer \[preauth\]$ + + # kex.c#1630 (verbose_f("Connection closed by remote host")) +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_exchange_identification: Connection closed by remote host$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: error: kex_exchange_identification: Connection closed by remote host$ + +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_exchange_identification: read: Connection reset by peer$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: error: kex_exchange_identification: read: Connection reset by peer$ + + # kex.c#L1672 (verbose_f("client sent invalid protocol identifier "...)) +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_exchange_identification: client sent invalid protocol identifier ".+"$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: error: kex_exchange_identification: client sent invalid protocol identifier ".+"$ + + # sshconnect.c#L1585 (sshpkt_fatal(ssh, r, "banner exchange")) +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: banner exchange: Connection from [.:[:xdigit:]]+ port [[:digit:]]+: invalid format$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: banner exchange: Connection from [.:[:xdigit:]]+ port [[:digit:]]+: invalid format$ + + # kex.c#L1646-1647 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_exchange_identification: banner line contains invalid characters$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: error: kex_exchange_identification: banner line contains invalid characters$ + + # kex.c#L1720 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Protocol major versions differ: 2 vs\. 1$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: error: Protocol major versions differ: 2 vs\. 1$ + + # ssherr.c#L101 (SSH_ERR_NO_PROTOCOL_VERSION) +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: banner exchange: Connection from [.:[:xdigit:]]+ port [[:digit:]]+: could not read protocol version$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: banner exchange: Connection from [.:[:xdigit:]]+ port [[:digit:]]+: could not read protocol version$ + + # subsystem.c#L1964 +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user [^[:space:]]+$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: subsystem request for sftp by user [^[:space:]]+$ + + # loginrec.c#L1439 --- you would want this message reported? +-#^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: syslogin_perform_logout: logout\(\) returned an error$ ++#^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: syslogin_perform_logout: logout\(\) returned an error$ + + # not sure where this is from +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: refused connect from [:[:alnum:]._-]+ \([:[:alnum:].]+\)$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: refused connect from [:[:alnum:]._-]+ \([:[:alnum:].]+\)$ + + # unclear if this is still generated +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: nss_ldap: reconnect(ing|ed) to LDAP server(\.\.\.| after [[:digit:]]+ attempt\(s\))$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: nss_ldap: reconnect(ing|ed) to LDAP server(\.\.\.| after [[:digit:]]+ attempt\(s\))$ + + # tcp wrappers - not sure what generates these, or if they are up-to-date +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: warning: /etc/hosts\.(allow|deny), line [[:digit:]]+: can't verify hostname: getaddrinfo\([._[:alnum:]-]+, AF_INET\) failed$ +-^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: warning: /etc/hosts\.(allow|deny), line [[:digit:]]+: host name/(name|address) mismatch: [._[:alnum:]-]+ != [._[:alnum:]-]+$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: warning: /etc/hosts\.(allow|deny), line [[:digit:]]+: can't verify hostname: getaddrinfo\([._[:alnum:]-]+, AF_INET\) failed$ ++^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd(-session)?\[[[:digit:]]+\]: warning: /etc/hosts\.(allow|deny), line [[:digit:]]+: host name/(name|address) mismatch: [._[:alnum:]-]+ != [._[:alnum:]-]+$