Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 78827

Summary: SSHD Log Messages Have Changed . . . Update /etc/metalog.conf to match
Product: Gentoo Linux Reporter: Rob Rosenfeld <rob>
Component: Current packagesAssignee: SpanKY <vapier>
Status: RESOLVED FIXED    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Rob Rosenfeld 2005-01-20 08:58:13 UTC 
When an SSH login was attempted with a non-existent user name, SSHD used to log using the phrase "illegal user".  After a recent SSHD upgrade (currently in openssh-3.9_p1-r1) it now uses the phrase "invalid user".  

The pwdfail section of /etc/metalog/metalog.conf should have its regex directives updated to reflect this.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Olivier Crete (RETIRED) gentoo-dev 2005-01-20 12:55:10 UTC 
your the last to bump the ebuild...
Comment 2 Rob Rosenfeld 2005-01-20 12:59:38 UTC 
Should have been more specific.  Old message was:

  Dec 10 03:10:49 [sshd] Illegal user user from 210.90.82.94

New message is:

  Jan 15 20:51:20 [sshd] Invalid user user from 211.23.110.62
Comment 3 Heinrich Wendel (RETIRED) gentoo-dev 2005-01-27 05:52:20 UTC 
as far as i see, the old message wasn't catched as well, the regex is:

  regex    = "(password|login|authentication)\s+(fail|invalid)"
  regex    = "(failed|invalid)\s+(password|login|authentication)"
Comment 4 Heinrich Wendel (RETIRED) gentoo-dev 2005-02-19 12:01:59 UTC 
can you please post a patch?
Comment 5 Rob Rosenfeld 2005-02-25 17:44:35 UTC 
I guess it doesn't trap invalid users by default.  I must have enabled it when it called them illegal users and when they renamed it was a bug.  Not sure if you'll want to enable this to the logs . . . log use can get pretty heavy w/ all the ssh scans I see.  But, here it is in case


 # diff -u /usr/portage/app-admin/metalog/files/metalog.conf /etc/metalog/metalog.conf                           
--- /usr/portage/app-admin/metalog/files/metalog.conf   2004-07-18 02:36:10.000000000 +0000
+++ /etc/metalog/metalog.conf   2005-01-20 16:50:37.000000000 +0000

@@ -21,13 +22,15 @@
   program  = "iptrap"
   logdir   = "/var/log/iptrap"

 Password failures :

   regex    = "(password|login|authentication)\s+(fail|invalid)"
-  regex    = "(failed|invalid)\s+(password|login|authentication)"
+  regex    = "(failed|invalid)\s+(password|login|authentication|user)"
   regex    = "ILLEGAL ROOT LOGIN"
Comment 6 SpanKY gentoo-dev 2005-03-14 19:31:27 UTC 
current config captures 'login failed' and 'login invalid' so i guess 'invalid user' should also go in the same place

fixed in cvs