Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 28 Nov 2019 02:27:21 +0900 (JST)
From:      Yasuhiro KIMURA <yasu@utahime.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: FreeBSD-12 logcheck
Message-ID:  <20191128.022721.1343122922192153682.yasu@utahime.org>
In-Reply-To: <4d6ddb1dae5865ba9dad6142340ab42d.squirrel@webmail.harte-lyne.ca>
References:  <4d6ddb1dae5865ba9dad6142340ab42d.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi James,

Thank you for using logcheck. I'm maintainer of this port.

From: "James B. Byrne via freebsd-questions" <freebsd-questions@freebsd.org>
Subject: FreeBSD-12 logcheck
Date: Wed, 27 Nov 2019 11:48:33 -0500

> I have installed logcheck on a test machine and get the daily report. 
> In it I see messages similar to the following:
> 
> Nov 26 07:02:43 <auth.info> vhost04 sshd[28949]: Bad protocol version
> identification '\026\003\001' from 77.247.109.57 port 53786

If you saw this message in report mail by logcheck, it must be as
follwowing.

----------------------------------------------------------------------
Nov 26 07:02:43 vhost04 sshd[28949]: Bad protocol version identification '\026\003\001' from 77.247.109.57 port 53786
----------------------------------------------------------------------

Therefore,

> This is basically noise most likely generated by some self-propagating
> malware.  If wish to eliminate this from the report.  I added this to
> /usr/local/etc/logcheck/violations.ignore.d/local-sshd:
> 
> 
> ^\w{3} [ :[:digit:]]{11} <auth.info> .*sshd\[.*\]: Bad protocol
> version identification.*

This pattern should be

----------------------------------------------------------------------
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification.*
----------------------------------------------------------------------

and it need to be written to
/usr/local/etc/logcheck/ignore.d.server/local-ssh unless you change
the value of REPORTLEVEL in /usr/local/etc/logcheck/logcheck.conf.

---
Yasuhiro KIMURA

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191128.022721.1343122922192153682.yasu>