Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 227805 - New sshd logs not processed correctly
Summary: New sshd logs not processed correctly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: logwatch
Version: 4.4
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
: ---
Assignee: Ivana Varekova
QA Contact:
URL:
Whiteboard:
: 204110 (view as bug list)
Depends On: 139606
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-08 10:49 UTC by Jose Plans
Modified: 2018-10-19 21:07 UTC (History)
5 users (show)

Fixed In Version: RHBA-2008-0750
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-24 20:01:23 UTC


Attachments (Terms of Use)
proposed patch for 5.2.2 (deleted)
2007-03-02 11:28 UTC, Jose Plans
no flags Details | Diff
Extended patch (deleted)
2007-04-19 10:35 UTC, John Robinson
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0750 normal SHIPPED_LIVE logwatch bug fix and enhancement update 2008-07-23 16:49:48 UTC

Description Jose Plans 2007-02-08 10:49:47 UTC
+++ This bug was initially created as a clone of Bug #139606 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3)
Gecko/20040913 Firefox/0.10.1

Description of problem:
FC3 uses openssh-3.9p1-7.  The logs are in a slightly different
format, so some messages are lumped into **Unmatched Entries**

Version-Release number of selected component (if applicable):
logwatch-5.2.2-1

How reproducible:
Always

Steps to Reproduce:
1.  Run logwatch against openssh-3.9p1-7 that contains Invalid user
and Failed password lines

    
Actual Results:
   **Unmatched Entries**
Invalid user test from ::ffff:220.70.167.67
Failed password for invalid user test from ::ffff:220.70.167.67 port
33205 ssh2
Invalid user guest from ::ffff:220.70.167.67
Failed password for invalid user guest from ::ffff:220.70.167.67 port
33490 ssh2

Expected Results:
Illegal users from these:
   test/password from ::ffff:220.70.167.67: 1 Time(s)
   guest/password from ::ffff:220.70.167.67: 1 Time(s)

Failed logins from these:
   test/password from ::ffff:220.70.167.67: 1 Time(s)
   guest/password from ::ffff:220.70.167.67: 1 Time(s)

-- Additional comment from djk@cyber.com.au on 2005-05-20 20:46 EST --
It looks like this should be fixed in logwatch 6.0.1 shipped with FC4 test3.
(I have the same problem with FC3, and get logs of unmatched entries.)

-- Additional comment from varekova@redhat.com on 2005-06-24 07:12 EST --
This problem is fixed in the current release.

Comment 2 John Robinson 2007-02-13 13:15:45 UTC
Unfortunately it's not fixed in RHEL4 which still has logwatch 5.2.2.

I'm not sure but it may only have become a problem since openssh has been
updated by https://rhn.redhat.com/errata/RHSA-2006-0738.html or
https://rhn.redhat.com/errata/RHSA-2006-0697.html or a similar previous update;
I have a system with openssh 3.9p1-8.RHEL4.15 which does not appear to exhibit
this issue. I may be wrong though.

Comment 3 Jose Plans 2007-03-02 11:28:34 UTC
Created attachment 149103 [details]
proposed patch for 5.2.2

Comment 4 John Robinson 2007-03-02 12:29:15 UTC
That looks like a good start, but here's a sample of my logs:

Invalid user thisisnotyourexploit from ::ffff:219.224.99.234
input_userauth_request: invalid user thisisnotyourexploit
Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234
port 17487 ssh2
Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234
port 17487 ssh2
Invalid user 2qjj4toi from ::ffff:219.224.99.234
input_userauth_request: invalid user 2qjj4toi
Failed password for invalid user 2qjj4toi from ::ffff:219.224.99.234 port 20660 ssh2

and logwatch reports all of these as unmatched, I think perhaps
s/illegal/invalid/ in the next few lines after the above patch and this may be
licked :-)

Comment 5 John Robinson 2007-04-19 10:35:23 UTC
Created attachment 152989 [details]
Extended patch

It's been working for me since my previous message

Comment 10 Ivana Varekova 2007-10-26 09:17:52 UTC
*** Bug 204110 has been marked as a duplicate of this bug. ***

Comment 12 RHEL Product and Program Management 2008-01-31 08:26:14 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 15 Chris Pepper 2008-03-23 05:30:59 UTC
I get way to many of these unmatched triplets in 5.1; updating to scripts/services/sshd from http://www2.logwatch.org:81/ cleared them up as a workaround:

Failed password for invalid user box from ::ffff:219.94.147.174 port 56608 ssh2
Invalid user ns from ::ffff:219.94.147.174
input_userauth_request: invalid user ns
Failed password for invalid user ns from ::ffff:219.94.147.174 port 56938 ssh2
Invalid user nameserver from ::ffff:219.94.147.174
input_userauth_request: invalid user nameserver
Failed password for invalid user nameserver from ::ffff:219.94.147.174 port 57287 ssh2
Invalid user hosting from ::ffff:219.94.147.174
input_userauth_request: invalid user hosting



Comment 16 Chris Pepper 2008-03-23 05:34:02 UTC
 Sorry, the snippet for #15 was from RHEL4. The (single) recurring error line from 5.1 which was fixed with 
the CVS HEAD is:

pam_succeed_if(sshd:auth): error retrieving information about user wolfgang : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user rpargas : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user festival : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user lebedev : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user concha : 1 time(s)



Comment 19 errata-xmlrpc 2008-07-24 20:01:23 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0750.html


Note You need to log in before you can comment on or make changes to this bug.