Date: Wed, 27 Nov 2019 11:48:33 -0500 From: "James B. Byrne" <byrnejb@harte-lyne.ca> To: freebsd-questions@freebsd.org Subject: FreeBSD-12 logcheck Message-ID: <4d6ddb1dae5865ba9dad6142340ab42d.squirrel@webmail.harte-lyne.ca>
index | next in thread | raw e-mail
I have installed logcheck on a test machine and get the daily report.
In it I see messages similar to the following:
Nov 26 07:02:43 <auth.info> vhost04 sshd[28949]: Bad protocol version
identification '\026\003\001' from 77.247.109.57 port 53786
This is basically noise most likely generated by some self-propagating
malware. If wish to eliminate this from the report. I added this to
/usr/local/etc/logcheck/violations.ignore.d/local-sshd:
^\w{3} [ :[:digit:]]{11} <auth.info> .*sshd\[.*\]: Bad protocol
version identification.*
I checked this regexp against the reported string and it matches. Why
then are these still being reported?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4d6ddb1dae5865ba9dad6142340ab42d.squirrel>