diff --git a/modules/journalwatch.nix b/modules/journalwatch.nix index 3d3f889..16cc882 100644 --- a/modules/journalwatch.nix +++ b/modules/journalwatch.nix @@ -311,6 +311,51 @@ # _SYSTEMD_UNIT # + { # yodaHedgehog + filters = '' + info: OpenSMTPD \S+-portable starting + \S+ smtp connected address=local host=${config.networking.hostName} + \S+ smtp message msgid=\S+ size=\S+ nrcpt=1 proto=ESMTP + \S+ smtp envelope evpid=6942f031b936b01f from=\S+ to=\S+ + \S+ smtp disconnected reason=quit + \S+ mta connecting address=smtps://\S+ host=\S+ + \S+ mta connected + \S+ mta tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256 + \S+ mta cert-check result=\\"valid\\" fingerprint=\S+ + \S+ mta delivery evpid=\S+ from=\S+ to=\S+ rcpt=<-> source=\S+ relay="\S+ \(\S+\)" delay=\S+ result="Ok" stat="250 2.0.0 Ok: queued as \S+" + \S+ mta disconnected reason=quit messages=1 + Exiting + ''; + match = "_SYSTEMD_UNIT = opensmtpd.service"; + } + + { # yodaYoga, yodaNas + filters = '' + Accepted publickey for root from \S+ port \S+ ssh2: RSA SHA256:\S+ + pam_unix\(sshd:session\): session opened for user root\(uid=0\) by \(uid=0\) + Received disconnect from \S+ port \S+:11: disconnected by user + Disconnected from user root \S+ port \S+ + pam_unix\(sshd:session\): session closed for user root + # + # Somebody evil ... + # + error: kex_exchange_identification: banner line contains invalid characters + # error: kex_exchange_identification: client sent invalid protocol identifier "MGLNDD_188.194.209.73_2222" + # error: kex_exchange_identification: client sent invalid protocol identifier "GET / HTTP/1.1" + error: kex_exchange_identification: client sent invalid protocol identifier "[^"]*" + error: kex_exchange_identification: Connection closed by remote host + error: kex_exchange_identification: read: Connection reset by peer + error: kex_protocol_error: type [0-9]+ seq [0-9]+ \[preauth\] + error: kex protocol error: type [0-9]+ seq [0-9]+ \[preauth\] + error: PAM: Authentication failure for \S+ from \S+ + error: PAM: Authentication failure for illegal user \S+ from \S+ + error: Protocol major versions differ: 2 vs\. 1 + error: beginning MaxStartups throttling + fatal: Timeout before authentication for \S+ port [0-9]+ + ''; + match = "_SYSTEMD_UNIT = sshd.service"; + } + # TODO: Wait until issue is resolved # https://github.com/NixOS/nixpkgs/issues/267857 # /etc/tmpfiles.d/tmp.conf:11: Duplicate line for path "/tmp", ignoring. @@ -399,25 +444,6 @@ # SYSLOG_IDENTIFIER # - { # yodaYoga, yodaNas - filters = '' - # Somebody evil ... - error: kex_exchange_identification: banner line contains invalid characters - # error: kex_exchange_identification: client sent invalid protocol identifier "MGLNDD_188.194.209.73_2222" - # error: kex_exchange_identification: client sent invalid protocol identifier "GET / HTTP/1.1" - error: kex_exchange_identification: client sent invalid protocol identifier "[^"]*" - error: kex_exchange_identification: Connection closed by remote host - error: kex_exchange_identification: read: Connection reset by peer - error: kex_protocol_error: type [0-9]+ seq [0-9]+ \[preauth\] - error: kex protocol error: type [0-9]+ seq [0-9]+ \[preauth\] - error: PAM: Authentication failure for \S+ from \S+ - error: PAM: Authentication failure for illegal user \S+ from \S+ - error: Protocol major versions differ: 2 vs\. 1 - error: beginning MaxStartups throttling - fatal: Timeout before authentication for \S+ port [0-9]+ - ''; - match = "SYSLOG_IDENTIFIER = sshd"; - } { filters = '' # yodaTux. If the user `yoda` runs a command with `sudo`.