FreeBSD-12 logcheck
James B. Byrne
byrnejb at harte-lyne.ca
Wed Nov 27 16:48:41 UTC 2019
I have installed logcheck on a test machine and get the daily report.
In it I see messages similar to the following:
Nov 26 07:02:43 <auth.info> vhost04 sshd[28949]: Bad protocol version
identification '\026\003\001' from 77.247.109.57 port 53786
This is basically noise most likely generated by some self-propagating
malware. If wish to eliminate this from the report. I added this to
/usr/local/etc/logcheck/violations.ignore.d/local-sshd:
^\w{3} [ :[:digit:]]{11} <auth.info> .*sshd\[.*\]: Bad protocol
version identification.*
I checked this regexp against the reported string and it matches. Why
then are these still being reported?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
More information about the freebsd-questions
mailing list