Triladers Tech Blog

Additional Rules for Logcheck on Debian Wheezy

I recently installed an utility called logcheck on my server. This utility runs once per hour and checks the syslog for suspicious entries like someone trying to guess passwords or trying to do other not so nice stuff. The problem however is that the default lists provided by Debian don’t contain rules for all software I run on my server that writes to the syslog.

One of them is Dovecot which is included in Debian and there are rules for it as well but they aren’t complete enough or I just consider some stuff unimportant that they don’t. Another service that I run is spampd which is a anti-spam filter that works together with Postfix to keep the spammers at bay. Debian has no rules for it so I had to make my own set of rules.

The rule files themselves are simple text files containing one rule per line in posix extended regex syntax. All log entries that match against a rule get ignored, all other get accumulated and sent to me via email.

Here I want to document my rules for everyone to use if you want.

Rules for Spampd (spampd) download
1
2
3
4
5
6
7
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spampd\[[[:digit:]]+\]: processing message (<[-_@#+./[:alnum:]]+>|\(unknown\)) for <[-_.@[:alnum:]]+> (ORCPT=(rfc822;)?[-_.@[:alnum:]]+)( NOTIFY=FAILURE,DELAY)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spampd\[[[:digit:]]+\]: clean message (<[-_@#+./[:alnum:]]+>|\(unknown\)) \([-[:digit:]\.\/]+\) from <[-_.@+=[:alnum:]]+> for <[-_.@[:alnum:]]+> (ORCPT=(rfc822;)?[-_.@[:alnum:]]+)( NOTIFY=FAILURE,DELAY)? in [[:digit:]\.]+s, [[:digit:]]+ bytes.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spampd\[[[:digit:]]+\]: skipped large message \([.[:digit:]]+KB\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: server hit by SIGHUP, restarting$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: server started on port 783\/tcp \(running version [.[:digit:]]+\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd\[[[:digit:]]+\]: spamd: child \[[[:digit:]]+\] killed successfully: interrupted, signal 2 \(0002\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ spamd.pid\[[[:digit:]]+\]: spamd: restarting using '/usr/sbin/spamd --create-prefs --max-children 2 --helper-home-dir -d --pidfile=/var/run/spamd.pid'$
Extra rules for dovecot (dovecot-extra) download
1
2
3
4
5
6
7
8
9
10
11
12
13
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lda\([-_.@[:alnum:]]+\): sieve: msgid=<[-_.@[:alnum:]]+>: stored mail into mailbox '[-_.@[:alnum:]]+'$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth-worker\([[:digit:]]+\): mysql\([.:[:xdigit:]]+\): Connected to database [-_[:alnum:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Login: user=<[-_.@[:alnum:]]+>, method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, mpid=[[:digit:]]+, (TLS(: SSL_read\(\) syscall failed: Connection reset by peer)?|secured), session=<[-\/+_[:alnum:]]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lda\([-_.@[:alnum:]]+\): sieve: msgid=<[-_.@[:alnum:]]+>: stored mail into mailbox '[-_.@[:alnum:]]+'$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Disconnected: Logged out bytes=[[:digit:]\/]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Disconnected: Logged out in=[[:digit:]]+ out=[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Disconnected for inactivity bytes=[[:digit:]\/]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Disconnected for inactivity in=[[:digit:]]+ out=[[:digit:]]++$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Disconnected: Disconnected in IDLE in=[[:digit:]]+ out=[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed in=[[:digit:]]+ out=[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|secured), session=<[-\/+_[:alnum:]]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected: Inactivity \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS( handshaking)?, session=<[-\/+_[:alnum:]]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS((: SSL_read\(\)| handshaking: SSL_accept\(\)) syscall failed: Connection reset by peer)?|secured), session=<[-\/+_[:alnum:]]+>$

Comments