The following entries in /var/log/auth.log should be triggered in the daily security report
(xxx.xxx.xxx.xxx and yyy.tld are used to protect the innocent ;-) ):
Jan 26 08:10:30 troi sshd: Invalid user gary from xxx.xxx.xxx.xxx
Jan 26 16:09:32 troi sshd: reverse mapping checking getaddrinfo for yyy.tld [xxx.xxx.xxx.xxx] failed - POSSIBLE BREAK-IN ATTEMPT!
800.loginfail of 6.2-RELEASE did recognize both entries in the logfile, whereas 6.3-RELEASE
only recognizes the second entry.
The relevant 6.2-regex-part of 6.2-800.loginfail is:
egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)"
and in 6.3 is has been changed to:
egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)"
Presumely, one tried to overcome false-positives when system names contained "fail|invalid|bad|illegal"
and tried to modify the regex accordingly.
Now, ""^$yesterday.*: " triggers the first part upto "...sshd[.....]: " correctly. After that, if a buzzword resides somewhere in the following text it will be triggered (second example), but if the remaining text starts with one buzzword (first example: Invalid) it cannot be triggered due to a single blank demanded *before* the buzzword in ".* (fail|invalid|bad|illegal)"
The following entry in /var/log/auth.log is neither triggered by 6.2 nor by 6.3-800.loginfail. IMHO
this should be added as well:
Jan 26 23:16:52 troi sshd: User root from xxx.xxx.xxx.xxx not allowed because not listed in AllowUsers
Fix: apply patch
Patch attached with submission follows:
For bugs matching the following criteria:
Status: In Progress Changed: (is less than) 2014-06-01
Reset to default assignee and clear in-progress tags.
Mail being skipped