From 1eeb6e94bd2965258e1bb3569406f712315dc333 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sun, 29 Sep 2013 17:28:33 +1000 Subject: [PATCH 1/4] BF: fix regex for openssh-6.3 --- config/filter.d/sshd.conf | 5 ++++- testcases/files/logs/sshd | 9 +++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 18ac6668..17760c33 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -22,9 +22,12 @@ _daemon = sshd # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # +# +md5hex = [\da-f]{2}:){15}[\da-f]{2} + failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from ( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ - ^%(__prefix_line)sFailed \S+ for .* from (?: port \d*)?(?: ssh\d*)?\s*$ + ^%(__prefix_line)sFailed \S+ for .* from (?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ (serial \d+) CA )?\S+ (%(md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$ diff --git a/testcases/files/logs/sshd b/testcases/files/logs/sshd index 75854774..96338220 100644 --- a/testcases/files/logs/sshd +++ b/testcases/files/logs/sshd @@ -85,3 +85,12 @@ Mar 26 04:56:27 angel sshd[9739]: User allena from example.com not allowed becau Feb 7 16:01:07 linux-m899 sshd[5106]: User root from 192.51.100.54 not allowed because a group is listed in DenyGroups # failJSON: { "time": "2005-01-05T11:15:05", "match": true , "host": "10.0.0.40" } Jan 5 11:15:05 NAS sshd[1966]: User root from 10.0.0.40 not allowed because none of user's groups are listed in AllowGroups + +# failJSON: { "time": "2004-09-29T16:28:02", "match": true , "host": "127.0.0.1" } +Sep 29 16:28:02 spaceman sshd[16699]: Failed password for dan from 127.0.0.1 port 45416 ssh1 + +# failJSON: { "time": "2004-09-29T17:15:02", "match": true , "host": "127.0.0.1" } +Sep 29 17:15:02 spaceman sshd[12946]: Failed hostbased for dan from 127.0.0.1 port 45785 ssh2: RSA 8c:e3:aa:0f:64:51:02:f7:14:79:89:3f:65:84:7c:30, client user "dan", client host "localhost.localdomain" + +# failJSON: { "time": "2004-09-29T17:15:02", "match": true , "host": "127.0.0.1" } +Sep 29 17:15:02 spaceman sshd[12946]: Failed hostbased for dan from 127.0.0.1 port 45785 ssh2: DSA 01:c0:79:41:91:31:9a:7d:95:23:91:ac:b1:6d:59:81, client user "dan", client host "localhost.localdomain" From 2ad26682a9ddc1f9b5774b1db253e6d57bd7851c Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sun, 29 Sep 2013 17:31:49 +1000 Subject: [PATCH 2/4] DOC: ChangeLog for filter.d/sshd --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 324b6ec2..e9c785e8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,6 +78,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests linux-pam before version 0.99.2.0 (2005) * filter.d/gssftpd - anchored regex at start * filter.d/mysqld-auth.conf - mysql can use syslog + * filter.d/sshd - regex enhancements to support openssh-6.3 Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий * filter.d/exim.conf -- regex hardening and extra failure examples in sample logs From f2ae20a3b889df7d996130fb9aba22aab7eebe6b Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sun, 29 Sep 2013 17:44:45 +1000 Subject: [PATCH 3/4] BF: filter.d/sshd group on md5hex and () for serial needed to be escaped --- config/filter.d/sshd.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 17760c33..8b8c660f 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -23,11 +23,11 @@ _daemon = sshd # Values: TEXT # # -md5hex = [\da-f]{2}:){15}[\da-f]{2} +md5hex = ([\da-f]{2}:){15}[\da-f]{2} failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from ( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ - ^%(__prefix_line)sFailed \S+ for .* from (?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ (serial \d+) CA )?\S+ (%(md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$ + ^%(__prefix_line)sFailed \S+ for .* from (?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$ From 778f09debeb49184a532728c340c5cb27b87c598 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 1 Oct 2013 09:03:33 +1000 Subject: [PATCH 4/4] DOC/ENH: __md5hex regex defination to common.conf. Document debian bug # --- ChangeLog | 3 ++- config/filter.d/common.conf | 3 +++ config/filter.d/sshd.conf | 3 +-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index e9c785e8..20c05944 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,7 +78,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests linux-pam before version 0.99.2.0 (2005) * filter.d/gssftpd - anchored regex at start * filter.d/mysqld-auth.conf - mysql can use syslog - * filter.d/sshd - regex enhancements to support openssh-6.3 + * filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian + bug #722970 Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий * filter.d/exim.conf -- regex hardening and extra failure examples in sample logs diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf index d44a6325..a74d223e 100644 --- a/config/filter.d/common.conf +++ b/config/filter.d/common.conf @@ -41,6 +41,9 @@ __kernel_prefix = kernel: \[\d+\.\d+\] __hostname = \S+ +# A MD5 hex +# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f +__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2} # bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or # appearing before the host as per testcases/files/logs/bsd/*. diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 8b8c660f..c4deb03a 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -23,11 +23,10 @@ _daemon = sshd # Values: TEXT # # -md5hex = ([\da-f]{2}:){15}[\da-f]{2} failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from ( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ - ^%(__prefix_line)sFailed \S+ for .* from (?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$ + ^%(__prefix_line)sFailed \S+ for .* from (?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$