Bug 120263

Summary: [patch] 800.loginfail misses relevant security information after upgrade from 6.2-RELEASE
Product: Base System Reporter: Michael Grimm <trashcan>
Component: confAssignee: freebsd-bugs (Nobody) <bugs>
Status: Open ---    
Severity: Affects Only Me    
Priority: Normal    
Version: 6.3-RELEASE   
Hardware: Any   
OS: Any   
Description Flags
file.diff none

Description Michael Grimm 2008-02-04 18:20:01 UTC
The following entries in /var/log/auth.log should be triggered in the daily security report
(xxx.xxx.xxx.xxx and yyy.tld are used to protect the innocent ;-) ):                                                                             

Jan 26 08:10:30 troi sshd[68360]: Invalid user gary from xxx.xxx.xxx.xxx                                                   
Jan 26 16:09:32 troi sshd[76566]: reverse mapping checking getaddrinfo for yyy.tld [xxx.xxx.xxx.xxx] failed - POSSIBLE BREAK-IN ATTEMPT!

800.loginfail of 6.2-RELEASE did recognize both entries in the logfile, whereas 6.3-RELEASE
only recognizes the second entry. 

The relevant 6.2-regex-part of 6.2-800.loginfail is:
	egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)"
and in 6.3 is has been changed to:
	egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)"

Presumely, one tried to overcome false-positives when system names contained "fail|invalid|bad|illegal"
and tried to modify the regex accordingly.

Now, ""^$yesterday.*: " triggers the first part upto "...sshd[.....]: " correctly. After that, if a buzzword resides somewhere in the following text it will be triggered (second example), but if the remaining text starts with one buzzword (first example: Invalid) it cannot be triggered due to a single blank demanded *before* the buzzword in ".* (fail|invalid|bad|illegal)"                                                                                                                     

The following entry in /var/log/auth.log is neither triggered by 6.2 nor by 6.3-800.loginfail. IMHO
this should be added as well:

Jan 26 23:16:52 troi sshd[87777]: User root from xxx.xxx.xxx.xxx not allowed because not listed in AllowUsers

Fix: apply patch

Patch attached with submission follows:
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:20 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped