FreeBSD-12 logcheck

Yasuhiro KIMURA yasu at utahime.org
Wed Nov 27 17:28:27 UTC 2019


Hi James,

Thank you for using logcheck. I'm maintainer of this port.

From: "James B. Byrne via freebsd-questions" <freebsd-questions at freebsd.org>
Subject: FreeBSD-12 logcheck
Date: Wed, 27 Nov 2019 11:48:33 -0500

> I have installed logcheck on a test machine and get the daily report. 
> In it I see messages similar to the following:
> 
> Nov 26 07:02:43 <auth.info> vhost04 sshd[28949]: Bad protocol version
> identification '\026\003\001' from 77.247.109.57 port 53786

If you saw this message in report mail by logcheck, it must be as
follwowing.

----------------------------------------------------------------------
Nov 26 07:02:43 vhost04 sshd[28949]: Bad protocol version identification '\026\003\001' from 77.247.109.57 port 53786
----------------------------------------------------------------------

Therefore,

> This is basically noise most likely generated by some self-propagating
> malware.  If wish to eliminate this from the report.  I added this to
> /usr/local/etc/logcheck/violations.ignore.d/local-sshd:
> 
> 
> ^\w{3} [ :[:digit:]]{11} <auth.info> .*sshd\[.*\]: Bad protocol
> version identification.*

This pattern should be

----------------------------------------------------------------------
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification.*
----------------------------------------------------------------------

and it need to be written to
/usr/local/etc/logcheck/ignore.d.server/local-ssh unless you change
the value of REPORTLEVEL in /usr/local/etc/logcheck/logcheck.conf.

---
Yasuhiro KIMURA


More information about the freebsd-questions mailing list