Last active
September 10, 2016 12:47
-
-
Save towo/9600375 to your computer and use it in GitHub Desktop.
List of common rules I'm supplementing to Debian/Ubuntu logcheck installations that suppress issues that arise with publicly available services that people try to exploit.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-apt: Invoked with dpkg_options=force-confdef,force-confold upgrade=dist force=False package=None purge=False state=present update_cache=True default_release=None install_recommends=True deb=None cache_valid_time=None$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-lineinfile: .*dest=/etc/logcheck/ignore.d.server/local.*$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-setup: Invoked with filter=\* fact_path=/etc/ansible/facts.d$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ avahi-daemon\[[[:digit:]]+\]: server\.c: Packet too short or invalid while reading response record. \(Maybe a UTF-8 problem\?\)$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ console-kit-daemon\[[[:digit:]]+\]: GLib-CRITICAL: Source ID [[:digit:]]+ was not found when attempting to remove it$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ console-kit-daemon\[[[:digit:]]+\]: \(process:[[:digit:]]+\): GLib-CRITICAL \*\*: g_slice_set_config: assertion .sys_page_size == 0. failed$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ console-kit-daemon\[[[:digit:]]+\]: console-kit-daemon\[[[:digit:]]+\]: GLib-CRITICAL: Source ID [[:digit:]]+ was not found when attempting to remove it$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ console-kit-daemon\[[[:digit:]]+\]: missing action$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\(towo\): Disconnected for inactivity in=[[:digit:]]+ out=[[:digit:]]+$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\(towo\): Disconnected: Logged out in=[[:digit:]]+ out=[[:digit:]]+$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: DON'T PANIC! Read http://www.clamav.net/support/faq$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: ERROR: NotifyClamd: Can't find or parse configuration file /etc/clamav/clamd.conf$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Local version: [.[:digit:]]+ Recommended version: [.[:digit:]]+$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Your ClamAV installation is OUTDATED!$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: bytecode.cld is up to date \(version: [[:digit:]]+, sigs: [[:digit:]]+, f-level: [[:digit:]]+, builder: [[:alnum:]]+\) | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: hostname [._[:alnum:]-]+ does not resolve to address [.[:digit:]]+:?.*$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive identification string from ::ffff:[\.0-9]+$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Change of username or service not allowed: \([[:alpha:]]+,ssh-connection\) -> \([[:alpha:]]+,ssh-connection\) \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: bad client public DH value \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [^[:space:]]* from ([:.[:xdigit:]]+|UNKNOWN)$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: PAM service(sshd) ignoring max retries; [[:digit:]]+ > [[:digit:]]+$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 11: Goodbye \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 11: PECL/ssh2 \(http://pecl.php.net/packages/ssh2\) \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 3: com.jcraft.jsch.JSchException: Auth fail \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 3: com.jcraft.jsch.JSchException: Auth fail \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [\.0-9]+: 11: Bye Bye \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+:3: com.jcraft.jsch.JSchException: Auth fail \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Received disconnect from [:.[:xdigit:]]+: 3: com.jcraft.jsch.JSchException: Auth fail \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Read from socket failed: Connection reset by peer \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate with [.[:digit:]]{4,15} port [[:digit:]]+: no matching host key type found. Their offer: [-,[:alnum:]]+ \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching cipher found: client [,-@.[:alnum:]]+ server [,-.@[:alnum:]]+ \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: invalid public DH value: <= 1 \[preauth\]$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user towo$ | |
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: (New|Removed) session [[:digit:]]+( of user [[:alpha:]]+)?.$ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bit more update with the things that cropped up aver the last two years.