From 036051c8366c2838b1271a5a5e5477448f1f9e77 Mon Sep 17 00:00:00 2001 From: Daniel Langbein Date: Wed, 25 Sep 2024 19:44:08 +0200 Subject: [PATCH] journalwatch config --- modules/journalwatch.nix | 78 +++++++++++++++++++++------------------- 1 file changed, 42 insertions(+), 36 deletions(-) diff --git a/modules/journalwatch.nix b/modules/journalwatch.nix index 07668e5..cc3147a 100644 --- a/modules/journalwatch.nix +++ b/modules/journalwatch.nix @@ -552,42 +552,6 @@ match = "_SYSTEMD_UNIT = opensmtpd.service"; } - { # yodaYoga, yodaNas - filters = '' - Accepted publickey for (root|yoda) from \S+ port \S+ ssh2: RSA SHA256:\S+ - pam_unix\(sshd:session\): session opened for user \S+ by \S+ - Received disconnect from \S+ port \S+:11: disconnected by user - Disconnected from user \S+ \S+ port \S+ - pam_unix\(sshd:session\): session closed for user \S+ - # - # Somebody evil ... - # - Failed keyboard-interactive/pam for invalid user \S+ from \S+ port \S+ ssh2 - Unable to negotiate with \S+ port \S+: no matching MAC found. Their offer: \S+ \[preauth\] - Invalid user \S+ from \S+ port \S+ - Disconnected from invalid user \S+ \S+ port \S+ \[preauth\] - Disconnected from authenticating user root \S+ port \S+ \[preauth\] - Received disconnect from \S+ port \S+:11: Client disconnecting normally \[preauth\] - Received disconnect from \S+ port \S+:11: Bye Bye \[preauth\] - Connection closed by \S+ port \S+ \[preauth\] - Connection closed by authenticating user root \S+ port \S+ \[preauth\] - error: kex_exchange_identification: banner line contains invalid characters - # error: kex_exchange_identification: client sent invalid protocol identifier "MGLNDD_188.194.209.73_2222" - # error: kex_exchange_identification: client sent invalid protocol identifier "GET / HTTP/1.1" - error: kex_exchange_identification: client sent invalid protocol identifier "[^"]*" - error: kex_exchange_identification: Connection closed by remote host - error: kex_exchange_identification: read: Connection reset by peer - error: kex_protocol_error: type [0-9]+ seq [0-9]+ \[preauth\] - error: kex protocol error: type [0-9]+ seq [0-9]+ \[preauth\] - error: PAM: Authentication failure for \S+ from \S+ - error: PAM: Authentication failure for illegal user \S+ from \S+ - error: Protocol major versions differ: 2 vs\. 1 - error: beginning MaxStartups throttling - fatal: Timeout before authentication for \S+ port [0-9]+ - ''; - match = "_SYSTEMD_UNIT = sshd.service"; - } - # TODO: Wait until issue is resolved # https://github.com/NixOS/nixpkgs/issues/267857 # /etc/tmpfiles.d/tmp.conf:11: Duplicate line for path "/tmp", ignoring. @@ -680,6 +644,48 @@ # SYSLOG_IDENTIFIER # + # sshd running on the host system + # _SYSTEMD_UNIT = sshd.service + # However, sometimes the _SYSTEMD_UNIT field is missing + # SYSLOG_IDENTIFIER = sshd + { + filters = '' + Accepted publickey for (root|yoda) from \S+ port \S+ ssh2: RSA SHA256:\S+ + pam_unix\(sshd:session\): session opened for user \S+ by \S+ + Received disconnect from \S+ port \S+:11: disconnected by user + Disconnected from user \S+ \S+ port \S+ + pam_unix\(sshd:session\): session closed for user \S+ + # + # Somebody evil ... + # + Failed keyboard-interactive/pam for invalid user \S+ from \S+ port \S+ ssh2 + Unable to negotiate with \S+ port \S+: no matching MAC found. Their offer: \S+ \[preauth\] + Invalid user \S+ from \S+ port \S+ + Disconnected from invalid user \S+ \S+ port \S+ \[preauth\] + Disconnected from authenticating user root \S+ port \S+ \[preauth\] + Received disconnect from \S+ port \S+:11: Client disconnecting normally \[preauth\] + Received disconnect from \S+ port \S+:11: Bye Bye \[preauth\] + Connection reset by \S+ port \S+ \[preauth\] + Connection closed by \S+ port \S+ + Connection closed by \S+ port \S+ \[preauth\] + Connection closed by authenticating user root \S+ port \S+ \[preauth\] + error: kex_exchange_identification: banner line contains invalid characters + # error: kex_exchange_identification: client sent invalid protocol identifier "MGLNDD_188.194.209.73_2222" + # error: kex_exchange_identification: client sent invalid protocol identifier "GET / HTTP/1.1" + error: kex_exchange_identification: client sent invalid protocol identifier "[^"]*" + error: kex_exchange_identification: Connection closed by remote host + error: kex_exchange_identification: read: Connection reset by peer + error: kex_protocol_error: type [0-9]+ seq [0-9]+ \[preauth\] + error: kex protocol error: type [0-9]+ seq [0-9]+ \[preauth\] + error: PAM: Authentication failure for \S+ from \S+ + error: PAM: Authentication failure for illegal user \S+ from \S+ + error: Protocol major versions differ: 2 vs\. 1 + error: beginning MaxStartups throttling + fatal: Timeout before authentication for \S+ port [0-9]+ + ''; + match = "SYSLOG_IDENTIFIER = sshd"; + } + { filters = '' pam_unix\(sudo:session\): session opened for user root\(uid=0\) by (yoda)?\(uid=[0-9]+\)