Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Logwatch and sshd verbosity
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Sedrik
l33t
l33t


Joined: 08 Apr 2005
Posts: 655
Location: Uppsala, Sweden
PostPosted: Mon Sep 12, 2011 7:03 am    Post subject: Logwatch and sshd verbosity Reply with quote
Hi guys, I get the following reports from logwatch

Code:
Login attempted when not in AllowUsers list:
   bin : 1 Time(s)
   ftp : 1 Time(s)
   ldap : 1 Time(s)
   mail : 1 Time(s)
   man : 1 Time(s)
   mysql : 2 Time(s)
   news : 1 Time(s)
   operator : 1 Time(s)
   postmaster : 1 Time(s)
   root : 307 Time(s)
   smmsp : 1 Time(s)
   sshd : 1 Time(s)
   sync : 2 Time(s)

 SFTP subsystem requests: 3 Time(s)

 **Unmatched Entries**
 SSH: Server;Ltype: Version;Remote: 122.155.161.9-34198;Protocol: 2.0;Client: libssh-0.1 : 1 time(s)
 SSH: Server;Ltype: Version;Remote: 220.172.191.31-52060;Protocol: 2.0;Client: libssh-0.1 : 1 time(s)
 SSH: Server;Ltype: Version;Remote: 122.155.161.9-32985;Protocol: 2.0;Client: libssh-0.1 : 1 time(s)
 SSH: Server;Ltype: Version;Remote: 122.155.161.9-55203;Protocol: 2.0;Client: libssh-0.1 : 1 time(s)
...


Now the Unmatched Entries is a long long list and I was woundering what it means and what I can do to not show it. I have tried playing around with the detail level of logwatch but it shows even on detail=1

Thanks in advance
_________________
From Gentoo with love
Back to top
View user's profile Send private message
Quincy
Apprentice
Apprentice


Joined: 02 Jun 2005
Posts: 201
Location: Germany
PostPosted: Tue Dec 06, 2011 1:36 am    Post subject: Reply with quote
I think logwatch will report every unmatched entry regardless of the detail level.
Perhaps you should have a look in the filter sets in /usr/share/logwatch/scripts/services/ or perhaps a newer version of logwatch already covers your unmatched entries.
Back to top
View user's profile Send private message
pjturmel
n00b
n00b


Joined: 15 Sep 2012
Posts: 3
PostPosted: Sat Sep 15, 2012 1:42 pm    Post subject: Filter for HPN Patch Reply with quote
These messages appear to be due to a logging patch. Details here:
http://sourceforge.net/tracker/?func=detail&aid=3257504&group_id=312875&atid=1316824

The solution is to modify the script /usr/share/logwatch/scripts/services/sshd to include

Code:
($ThisLine =~ /^SSH: Server;L[Tt]ype: /)


in the "ignore these" section.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy