diff options
author | Hendrik Jäger <gitcommit@henk.geekmail.org> | 2023-08-25 14:03:28 +0200 |
---|---|---|
committer | Hendrik Jäger <gitcommit@henk.geekmail.org> | 2023-08-25 14:03:28 +0200 |
commit | 89cf21d6706a178cb5299b0b064b804a9c4029b4 (patch) | |
tree | 510b93fd8aebd4691bbfd3ee5c3bb66bffc00cb7 /files | |
parent | 7eced3ce194ff05039e78d8db80f04dd1406ebe6 (diff) |
update rules
Diffstat (limited to 'files')
-rw-r--r-- | files/etc/logcheck/ignore.d.server/local-exim | 2 | ||||
-rw-r--r-- | files/etc/logcheck/ignore.d.server/local-nftables | 2 | ||||
-rw-r--r-- | files/etc/logcheck/ignore.d.server/local-rsyslog | 2 | ||||
-rw-r--r-- | files/etc/logcheck/ignore.d.server/local-ssh | 1 |
4 files changed, 4 insertions, 3 deletions
diff --git a/files/etc/logcheck/ignore.d.server/local-exim b/files/etc/logcheck/ignore.d.server/local-exim index 7bfcc6f..808b2c2 100644 --- a/files/etc/logcheck/ignore.d.server/local-exim +++ b/files/etc/logcheck/ignore.d.server/local-exim @@ -70,7 +70,7 @@ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? Connection from \[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ refused: too many connections from that IP address$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? (dovecot_login|dovecot_plain) authenticator failed for ([^[:space:]]+|\([^[:space:]]+\)|[^[:space:]]+ \([^[:space:]]+\)) \[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+: 535 Incorrect authentication data( \(set_id=[[:alnum:]_@.-]+\))?$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? End queue run: pid=[[:digit:]]+$ -^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? exim [[:digit:].]+ daemon started: pid=[[:digit:].]+, -q30m, listening for SMTP on port 25 \(IPv6 and IPv4\) port 587 \(IPv6 and IPv4\) and for SMTPS on port 465 \(IPv6 and IPv4\)$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? exim [[:digit:].]+ daemon started: pid=[[:digit:].]+, -q30m, listening for SMTP on port 25 \(IPv6 and IPv4\)( port 587 \(IPv6 and IPv4\))?( and for SMTPS on port 465 \(IPv6 and IPv4\))?$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? H=([^[:space:]]+|\([^[:space:]]+\)|[^[:space:]]+ \([^[:space:]]+\)) \[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ incomplete transaction \(connection lost\) from <[^[:space:]]+>( for .*)?$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? H=([^[:space:]]+|\([^[:space:]]+\)|[^[:space:]]+ \([^[:space:]]+\)) \[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ incomplete transaction \(QUIT\) from <[^[:space:]]+>$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ exim\[[[:digit:]]+\]:( \[1[\\/][[:digit:]]+\])?( [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]:.]+ \[[[:digit:]]+\])? H=([^[:space:]]+|\([^[:space:]]+\)|[^[:space:]]+ \([^[:space:]]+\)) \[[[:xdigit:].:]+\]:[[:digit:]]+ I=\[[[:xdigit:].:]+\]:[[:digit:]]+ incomplete transaction \(RSET\) from <[^[:space:]]+>( for [^[:space:]]+)?$ diff --git a/files/etc/logcheck/ignore.d.server/local-nftables b/files/etc/logcheck/ignore.d.server/local-nftables index 9753919..8a2a1c4 100644 --- a/files/etc/logcheck/ignore.d.server/local-nftables +++ b/files/etc/logcheck/ignore.d.server/local-nftables @@ -1,5 +1,5 @@ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Bruteforce attack: IN=[[:alnum:].]+ OUT= MAC=[[:xdigit:]:]+ SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132|4) SPT=[[:digit:]]+ DPT=[[:digit:]]+ (WINDOW=[[:digit:]]+ RES=0x[[:digit:]]+ (CWR )?(ECE )?(SYN|ACK|RST)+ (PSH )?(FIN )?URGP=[[:digit:]]+|LEN=[[:digit:]]+)$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Blackholing: IN=[[:alnum:].]+ OUT= MAC=[[:xdigit:]:]+ SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132|4) SPT=[[:digit:]]+ DPT=[[:digit:]]+ (WINDOW=[[:digit:]]+ RES=0x[[:digit:]]+ (CWR )?(ECE )?(SYN|ACK|RST) (PSH )?(FIN )?URGP=[[:digit:]]+|LEN=[[:digit:]]+)$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Illegal incoming traffic: IN=[[:alnum:].]+ OUT= MAC=[[:xdigit:]:]* SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132|4) SPT=[[:digit:]]+ DPT=[[:digit:]]+ (WINDOW=[[:digit:]]+ RES=0x[[:xdigit:]]+ (CWR )?(ECE )?(URG )?(SYN|ACK|RST)+ (PSH )?(FIN )?URGP=[[:digit:]]+|LEN=[[:digit:]]+)$ -^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Illegal forwarding traffic: IN=[[:alnum:].]+ OUT=[[:alnum:].-]+ MACSRC=[[:xdigit:]:]* MACDST=[[:xdigit:]:]* MACPROTO=[[:xdigit:]:]* SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132|4) SPT=[[:digit:]]+ DPT=[[:digit:]]+( SEQ=[[:digit:]]+ ACK=[[:digit:]]+)? (WINDOW=[[:digit:]]+ RES=0x[[:xdigit:]]+ (CWR )?(ECE )?(URG )?(SYN|ACK|RST) (PSH )?(FIN )?URGP=[[:digit:]]+|LEN=[[:digit:]]+)( OPT \([[:xdigit:]]+\))?$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Illegal forwarding traffic: IN=[[:alnum:].]+ OUT=[[:alnum:].-]+ MACSRC=[[:xdigit:]:]* MACDST=[[:xdigit:]:]* MACPROTO=[[:xdigit:]:]* SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132|4) SPT=[[:digit:]]+ DPT=[[:digit:]]+( SEQ=[[:digit:]]+ ACK=[[:digit:]]+)? (WINDOW=[[:digit:]]+ RES=0x[[:xdigit:]]+ (CWR |ECE |URG |SYN |ACK |PSH |FIN |RST )*URGP=[[:digit:]]+|LEN=[[:digit:]]+)( OPT \([[:xdigit:]]+\))?$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Illegal forwarding traffic: IN=[[:alnum:].]+ OUT=[[:alnum:].-]+ MACSRC=[[:xdigit:]:]* MACDST=[[:xdigit:]:]* MACPROTO=[[:xdigit:]:]* SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=ICMPv6 TYPE=128 CODE=0 ID=[[:digit:]]+ SEQ=[[:digit:]]+$ diff --git a/files/etc/logcheck/ignore.d.server/local-rsyslog b/files/etc/logcheck/ignore.d.server/local-rsyslog index 984ba58..0a29d5d 100644 --- a/files/etc/logcheck/ignore.d.server/local-rsyslog +++ b/files/etc/logcheck/ignore.d.server/local-rsyslog @@ -1 +1 @@ -^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[[:digit:].]+" x-pid="[[:digit:]]+" x-info="https://www.rsyslog.com"\] rsyslogd was HUPed$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ rsyslogd:[[:space:]]+\[origin software="rsyslogd" swVersion="[[:digit:].]+" x-pid="[[:digit:]]+" x-info="https://www.rsyslog.com"\] rsyslogd was HUPed$ diff --git a/files/etc/logcheck/ignore.d.server/local-ssh b/files/etc/logcheck/ignore.d.server/local-ssh index a1d5bf1..61167ff 100644 --- a/files/etc/logcheck/ignore.d.server/local-ssh +++ b/files/etc/logcheck/ignore.d.server/local-ssh @@ -85,6 +85,7 @@ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: userauth_finish: (Connection reset by peer|Broken pipe) \[preauth\]$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: (Connection reset by peer|Broken pipe) \[preauth\]$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Timeout before authentication for [[:xdigit:]:.]+ port [[:digit:]]+$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user [[:alnum:][:space:].:+-]+\[preauth\]$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: invalid public DH value: <= 1 \[preauth\]$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user [[:alnum:][:space:][:digit:][:punct:]]* from [:.[:xdigit:]]+ port [[:digit:]]+$ |