logwatch and ssh, not recognizing entries correctly
B Wooster
bwooster47 at gmail.com
Sat Apr 2 21:55:51 UTC 2005
So I get daily reports from logwatch, but am having trouble figuring
out why logwatch reports all the sshd lines as "Unmatched Entries".
So, I get thousands of lines in the email that are unrecognized. But
related entries seem to be matched correctly by pam_unix.
Is the logwatch sshd script out of date in Fedora FC3 and does not
match the openssh output?
Here are the unmatched entries examples:
User nobody not allowed because not listed in AllowUsers
Failed password for invalid user nobody from 216.17.211.26 port 53321 ssh2
Invalid user patrick from 216.17.211.26
Failed password for invalid user patrick from 216.17.211.26 port 53259 ssh2
Invalid user patrick from 216.17.211.26
Failed password for invalid user patrick from 216.17.211.26 port 60961 ssh2
User root not allowed because not listed in AllowUsers
.....
sshd version is:
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
.....
Using latest Fedora: 2.6.10-1.770_FC3
....
Looking at /etc/log.d/scripts/services/sshd, I notice that it is not
looking for above lines, but is instead looking for "Failed ... login"
instead of "Invalid user".
Also: the pam_unix logwatch script is working - but seems to me all
that info will be duplicate of what the sshd script would print out,
not sure if this how the normal setup is.
More information about the users
mailing list