FreeBSD-12 logcheck
Yasuhiro KIMURA
yasu at utahime.org
Wed Nov 27 17:28:27 UTC 2019
Hi James,
Thank you for using logcheck. I'm maintainer of this port.
From: "James B. Byrne via freebsd-questions" <freebsd-questions at freebsd.org>
Subject: FreeBSD-12 logcheck
Date: Wed, 27 Nov 2019 11:48:33 -0500
> I have installed logcheck on a test machine and get the daily report.
> In it I see messages similar to the following:
>
> Nov 26 07:02:43 <auth.info> vhost04 sshd[28949]: Bad protocol version
> identification '\026\003\001' from 77.247.109.57 port 53786
If you saw this message in report mail by logcheck, it must be as
follwowing.
----------------------------------------------------------------------
Nov 26 07:02:43 vhost04 sshd[28949]: Bad protocol version identification '\026\003\001' from 77.247.109.57 port 53786
----------------------------------------------------------------------
Therefore,
> This is basically noise most likely generated by some self-propagating
> malware. If wish to eliminate this from the report. I added this to
> /usr/local/etc/logcheck/violations.ignore.d/local-sshd:
>
>
> ^\w{3} [ :[:digit:]]{11} <auth.info> .*sshd\[.*\]: Bad protocol
> version identification.*
This pattern should be
----------------------------------------------------------------------
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification.*
----------------------------------------------------------------------
and it need to be written to
/usr/local/etc/logcheck/ignore.d.server/local-ssh unless you change
the value of REPORTLEVEL in /usr/local/etc/logcheck/logcheck.conf.
---
Yasuhiro KIMURA
More information about the freebsd-questions
mailing list