Hi, Thank you for creating the filter rules for dropbear.
I do not run Debian 'testing' so in order to test I have applied the rules on a machine installed with Debian 'squeeze'. As follows: ~# wget 'http://ftp.uk.debian.org/debian/pool/main/l/logcheck/logcheck_1.3.15.tar.gz' ~# tar xzf logcheck_1.3.15.tar.gz logcheck-1.3.15/rulefiles/linux/ignore.d.server/dropbear ~# cp logcheck-1.3.15/rulefiles/linux/ignore.d.server/dropbear /etc/logcheck/ignore.d.server/ For reference, Debian 'squeeze' has Logwatch 7.3.6 and Dropbear v0.52, and the stock install of Dropbear uses /var/log/auth.log With the new rules installed as above, the "System Events" email for *succesful* logins is now inhibited, i.e. desired behaviour - thanks. However, I think the expectation is that *failed* logins should generate a "Security Events" email and not a "System Events" email. Here is the text of such a login failure: /// This email is sent by logcheck. If you no longer wish to receive such mail, you can either deinstall the logcheck package or modify its configuration file (/etc/logcheck/logcheck.conf). System Events =-=-=-=-=-=-= Jul 16 12:02:12 host dropbear[15094]: bad password attempt for 'foo' from 82.125.214.201:38407 Jul 16 12:02:29 host dropbear[15094]: bad password attempt for 'foo' from 82.125.214.201:38407 Jul 16 12:02:37 host dropbear[15094]: exit before auth (user 'foo', 10 fails): Max auth tries reached - user 'foo' from 82.125.214.201:38407 /// Just to note: It is possible that latest Logwatch version does treat this as a Security Event and my method of back-porting the ruleset is insufficient to capture that - my apologies if that is the case. On Sat, Jun 30, 2012 at 04:39:25PM +0000, Debian Bug Tracking System wrote: > This is an automatic notification regarding your Bug report > which was filed against the logcheck-database package: > > #652148: Please add rules for dropbear > > It has been closed by Hannes von Haugwitz <han...@vonhaugwitz.com>. > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Hannes von Haugwitz > <han...@vonhaugwitz.com> by > replying to this email. > > > -- > 652148: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652148 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > X-Spam-Level: > Date: Sat, 30 Jun 2012 16:38:37 +0000 > From: Hannes von Haugwitz <han...@vonhaugwitz.com> > To: 652148-cl...@bugs.debian.org > Subject: Bug#652148: fixed in logcheck 1.3.15 > > Source: logcheck > Source-Version: 1.3.15 > > We believe that the bug you reported is fixed in the latest version of > logcheck, which is due to be installed in the Debian FTP archive: > > logcheck-database_1.3.15_all.deb > to main/l/logcheck/logcheck-database_1.3.15_all.deb > logcheck_1.3.15.dsc > to main/l/logcheck/logcheck_1.3.15.dsc > logcheck_1.3.15.tar.gz > to main/l/logcheck/logcheck_1.3.15.tar.gz > logcheck_1.3.15_all.deb > to main/l/logcheck/logcheck_1.3.15_all.deb > logtail_1.3.15_all.deb > to main/l/logcheck/logtail_1.3.15_all.deb > > > > A summary of the changes between this version and the previous one is > attached. > > Thank you for reporting the bug, which will now be closed. If you > have further comments please address them to 652...@bugs.debian.org, > and the maintainer will reopen the bug report if appropriate. > > Debian distribution maintenance software > pp. > Hannes von Haugwitz <han...@vonhaugwitz.com> (supplier of updated logcheck > package) > > (This message was generated automatically at their request; if you > believe that there is a problem with it please contact the archive > administrators by mailing ftpmas...@debian.org) > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Format: 1.8 > Date: Sat, 30 Jun 2012 16:24:49 +0200 > Source: logcheck > Binary: logcheck logcheck-database logtail > Architecture: source all > Version: 1.3.15 > Distribution: unstable > Urgency: low > Maintainer: Debian logcheck Team <logcheck-de...@lists.alioth.debian.org> > Changed-By: Hannes von Haugwitz <han...@vonhaugwitz.com> > Description: > logcheck - mails anomalies in the system logfiles to the administrator > logcheck-database - database of system log rules for the use of log checkers > logtail - Print log file lines that have not been read (deprecated) > Closes: 647622 647943 652148 > Changes: > logcheck (1.3.15) unstable; urgency=low > . > [ Hannes von Haugwitz ] > * ignore.d.server/dropbear: new > - ignore successful logins (closes: #652148) > * src/logcheck: > - fixed broken '-t' option, thanks to Jon Daley (closes: #647622, > LP: #1010431) > * debian/control: > - bumped to Standards-Version 3.9.3 (no changes necessary) > - adjusted URLs of Vcs-* fields > * debian/copyright: > - updated copyright year to 2012 > . > [ Frédéric Brière ] > * ignore.d.server/postfix: > - ignore "offered null AUTH mechanism list" > - ignore "lost connection while receiving the initial server greeting" > - fixed "lost connection while sending end of data" rule > * ignore.d.server/proftpd: > - ignore "authentication failure" even if ruser is provided > * ignore.d.server/ssh: > - ignore "PAM $n more authentication failures" > - ignore "Too many authentication failures" > - ignore "Closed due to user request." (closes: #647943) > - ignore "Bye Bye" > - ignore "Connection closed" > - ignore yet one more variation of "invalid user" > - updated "Postponed ..." rule with "[preauth]" suffix > - updated "Postponed ..." rule with "invalid user" > * ignore.d.workstation/libmtp-runtime: > - ignore mtp-probe messages when plugging a non-MTP device > * ignore.d.workstation/kernel: > - ignore "No Caching mode page present" > - ignore "usb-storage: Quirks match" > - ignore "sensor detected" for various GSPCA webcams > - updated FAT messages to new fat_msg() format > - updated "new USB device" message to new usb_speed_string() format > - updated bttv messages to new prefix > Checksums-Sha1: > df8e621f5c5190d8237ef56591393556db8160c2 1851 logcheck_1.3.15.dsc > c1fef9d602f208e5cae64d39900834c216568fb0 162397 logcheck_1.3.15.tar.gz > d6d9cf45c515886ad134b2474d68d7c43832ed2a 78664 logcheck_1.3.15_all.deb > 6c9ea758e52f62b13a5171a487163ebe22347798 121414 > logcheck-database_1.3.15_all.deb > 215d19a434319dfcf1561e88a59893e8c93eb170 61270 logtail_1.3.15_all.deb > Checksums-Sha256: > 4928dbc5921f663425aef8661e7ffeb09f6fc86ee385da9f9d21e7a075e3e28f 1851 > logcheck_1.3.15.dsc > b29b4753940a9130b5f19f60d2d89af23be220674625f4bd2fb1d40945d0b9e5 162397 > logcheck_1.3.15.tar.gz > 3314e5d1d3d65417c16beb55a3f8e7ad3f9b047f298b670385e04b6fc17937b7 78664 > logcheck_1.3.15_all.deb > c76bccbb0fc7b07d3839c5a972f93b01dc0afe1253227360af6c7376e5a841ff 121414 > logcheck-database_1.3.15_all.deb > c9a59d0844b12b5ef79607798006a07cb8d5aa3647d4a119a91ec0e5ea4980b0 61270 > logtail_1.3.15_all.deb > Files: > b6f9422e2bd0079c5e534f777d8f5aac 1851 admin optional logcheck_1.3.15.dsc > e3f002fddcdc01856c811872f4082a11 162397 admin optional logcheck_1.3.15.tar.gz > a0eb536acd94c2e4a45b6a3c9c30765e 78664 admin optional logcheck_1.3.15_all.deb > d1b05745baed4e80d6d984778724457d 121414 admin optional > logcheck-database_1.3.15_all.deb > f65e15cfa881576ab027da7852901ce5 61270 admin optional logtail_1.3.15_all.deb > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > > iQGcBAEBCAAGBQJP7xTNAAoJEBjuhjhgIu9XjCYL/0Xv4094bDzoVcYxXGfaYAKA > 6ZGSXuE5I0TQgI9D5CxqWvPOAPq9qBWbXKhnAfvAfQVZapD4fR/OHHPNQtMen/lD > WRQF0pW8ELsqi+NWCbDF4BAqHwQxyhvvHDgP8/BdbWG9TC9oF50/nWYUiIFA16Vd > 01TdVNLr1MO5zZQprNqaDyRS+BskBrDsXVsGgnhTTcWg+73wY6BTu/7o8jc0c81F > EaFRtqxHEFcEIP0CgeK21g+6NrrzfdWfhlTwKBAChq7ElkIIMqqSunSJlHowcBv9 > X0sv5/J3sky2vRWr9SPlgwnpXupvf9PfQvWuDpxqK5sA7Utjjp4i2cqFLu3LWHtu > fVHWvxhmAUsDYqoT15h3GkRzEh/QwlBq26mmvT/+Dd24Ea22z/ns49kGLrY49LHl > T5qTg44KVTURtrEJhGBFTlyX+wgGF3Vd1gV/er0FSIBbXI6eIIlXOnJN0AF4/MQz > aE9iVYLKNbP+CrKBuyoyKqNULnyH6QKoo8XhXpBmhg== > =B31d > -----END PGP SIGNATURE----- > > > X-Spam-Level: > Date: Thu, 15 Dec 2011 09:19:26 +0000 > From: debian-b...@nospam.pz.podzone.net > To: sub...@bugs.debian.org > Subject: Please add rules for dropbear > > Package: logcheck > Version: 1.2.69 > > "dropbear" is a lightweight ssh server which can be installed in place > of openssh-server. Log entries for dropbear are not currently > filtered by logcheck resulting in a "System Events" email for each and > every ssh login as below: > > > This email is sent by logcheck. If you no longer wish to receive > such mails, you can either deinstall the logcheck package or modify > its configuration file (/etc/logcheck/logcheck.conf). > > System Events > =-=-=-=-=-=-= > Dec 15 07:48:24 captain dropbear[20011]: Child connection from > ::ffff:82.125.214.201:55874 > Dec 15 07:48:27 captain dropbear[20011]: pubkey auth succeeded for 'user' > with key md5 68:07:18:0a:d8:4a:8b:61:2d:a6:15:94:1e:cb:b9:85 from > +::ffff:82.125.214.201:55874 > Dec 15 07:49:32 captain dropbear[20011]: exit after auth (user): Exited > normally > > > The above is from an install of logcheck 1.2.69 and dropbear 0.51-1 on > an installation of lenny. I have looked at the package files in > wheezy for logcheck (1.3.14) and it appears dropbear remains > unaccounted for (although note that dropbear is now at 0.52). > > I have not yet attempted to create a ruleset to filter the above > however if a fix is proposed then I will happily test it. > > Thanks. > > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
