When an SSH login was attempted with a non-existent user name, SSHD used to log using the phrase "illegal user". After a recent SSHD upgrade (currently in openssh-3.9_p1-r1) it now uses the phrase "invalid user". The pwdfail section of /etc/metalog/metalog.conf should have its regex directives updated to reflect this. Reproducible: Always Steps to Reproduce: 1. 2. 3.
your the last to bump the ebuild...
Should have been more specific. Old message was: Dec 10 03:10:49 [sshd] Illegal user user from 210.90.82.94 New message is: Jan 15 20:51:20 [sshd] Invalid user user from 211.23.110.62
as far as i see, the old message wasn't catched as well, the regex is: regex = "(password|login|authentication)\s+(fail|invalid)" regex = "(failed|invalid)\s+(password|login|authentication)"
can you please post a patch?
I guess it doesn't trap invalid users by default. I must have enabled it when it called them illegal users and when they renamed it was a bug. Not sure if you'll want to enable this to the logs . . . log use can get pretty heavy w/ all the ssh scans I see. But, here it is in case # diff -u /usr/portage/app-admin/metalog/files/metalog.conf /etc/metalog/metalog.conf --- /usr/portage/app-admin/metalog/files/metalog.conf 2004-07-18 02:36:10.000000000 +0000 +++ /etc/metalog/metalog.conf 2005-01-20 16:50:37.000000000 +0000 @@ -21,13 +22,15 @@ program = "iptrap" logdir = "/var/log/iptrap" Password failures : regex = "(password|login|authentication)\s+(fail|invalid)" - regex = "(failed|invalid)\s+(password|login|authentication)" + regex = "(failed|invalid)\s+(password|login|authentication|user)" regex = "ILLEGAL ROOT LOGIN"
current config captures 'login failed' and 'login invalid' so i guess 'invalid user' should also go in the same place fixed in cvs
