diff --git a/ChangeLog b/ChangeLog index 324b6ec2..20c05944 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,6 +78,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests linux-pam before version 0.99.2.0 (2005) * filter.d/gssftpd - anchored regex at start * filter.d/mysqld-auth.conf - mysql can use syslog + * filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian + bug #722970 Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий * filter.d/exim.conf -- regex hardening and extra failure examples in sample logs diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf index d44a6325..a74d223e 100644 --- a/config/filter.d/common.conf +++ b/config/filter.d/common.conf @@ -41,6 +41,9 @@ __kernel_prefix = kernel: \[\d+\.\d+\] __hostname = \S+ +# A MD5 hex +# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f +__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2} # bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or # appearing before the host as per testcases/files/logs/bsd/*. diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 18ac6668..c4deb03a 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -22,9 +22,11 @@ _daemon = sshd # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # +# + failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from ( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ - ^%(__prefix_line)sFailed \S+ for .* from (?: port \d*)?(?: ssh\d*)?\s*$ + ^%(__prefix_line)sFailed \S+ for .* from (?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$ diff --git a/testcases/files/logs/sshd b/testcases/files/logs/sshd index 75854774..96338220 100644 --- a/testcases/files/logs/sshd +++ b/testcases/files/logs/sshd @@ -85,3 +85,12 @@ Mar 26 04:56:27 angel sshd[9739]: User allena from example.com not allowed becau Feb 7 16:01:07 linux-m899 sshd[5106]: User root from 192.51.100.54 not allowed because a group is listed in DenyGroups # failJSON: { "time": "2005-01-05T11:15:05", "match": true , "host": "10.0.0.40" } Jan 5 11:15:05 NAS sshd[1966]: User root from 10.0.0.40 not allowed because none of user's groups are listed in AllowGroups + +# failJSON: { "time": "2004-09-29T16:28:02", "match": true , "host": "127.0.0.1" } +Sep 29 16:28:02 spaceman sshd[16699]: Failed password for dan from 127.0.0.1 port 45416 ssh1 + +# failJSON: { "time": "2004-09-29T17:15:02", "match": true , "host": "127.0.0.1" } +Sep 29 17:15:02 spaceman sshd[12946]: Failed hostbased for dan from 127.0.0.1 port 45785 ssh2: RSA 8c:e3:aa:0f:64:51:02:f7:14:79:89:3f:65:84:7c:30, client user "dan", client host "localhost.localdomain" + +# failJSON: { "time": "2004-09-29T17:15:02", "match": true , "host": "127.0.0.1" } +Sep 29 17:15:02 spaceman sshd[12946]: Failed hostbased for dan from 127.0.0.1 port 45785 ssh2: DSA 01:c0:79:41:91:31:9a:7d:95:23:91:ac:b1:6d:59:81, client user "dan", client host "localhost.localdomain"