The following entries in /var/log/auth.log should be triggered in the daily security report (xxx.xxx.xxx.xxx and yyy.tld are used to protect the innocent ;-) ): Jan 26 08:10:30 troi sshd[68360]: Invalid user gary from xxx.xxx.xxx.xxx Jan 26 16:09:32 troi sshd[76566]: reverse mapping checking getaddrinfo for yyy.tld [xxx.xxx.xxx.xxx] failed - POSSIBLE BREAK-IN ATTEMPT! 800.loginfail of 6.2-RELEASE did recognize both entries in the logfile, whereas 6.3-RELEASE only recognizes the second entry. The relevant 6.2-regex-part of 6.2-800.loginfail is: egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)" and in 6.3 is has been changed to: egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)" Presumely, one tried to overcome false-positives when system names contained "fail|invalid|bad|illegal" and tried to modify the regex accordingly. Now, ""^$yesterday.*: " triggers the first part upto "...sshd[.....]: " correctly. After that, if a buzzword resides somewhere in the following text it will be triggered (second example), but if the remaining text starts with one buzzword (first example: Invalid) it cannot be triggered due to a single blank demanded *before* the buzzword in ".* (fail|invalid|bad|illegal)" The following entry in /var/log/auth.log is neither triggered by 6.2 nor by 6.3-800.loginfail. IMHO this should be added as well: Jan 26 23:16:52 troi sshd[87777]: User root from xxx.xxx.xxx.xxx not allowed because not listed in AllowUsers Fix: apply patch Patch attached with submission follows:
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>