Home / server / Questions / 646175
Accepted
Ethabelle
Asked: 2014-11-22 11:45:04 +0800 CST

How do I make sec ignore a timestamp properly

  • 772

I have a rule that is set up like so;

In /etc/sec/rules.d I have;

type=SingleWithSuppress
ptype=regexp
pattern=(\S+) sshd\[\d+\]: PAM \d+ more authentication failures\; logname=.* uid=.* euid=.* tty=ssh ruser=.* rhost=(.*) user=(.*)
desc=Login Failure: $0
action=pipe '%s ' /bin/mail -s "login failure $2 to $3@$1" [email protected]
window=300

So if this came through syslog;

Nov 21 11:24:10 servername.server.com sshd[26846]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=kloggins

It should match this (which, it does according to my regex editor) according to the pattern;

servername.server.com sshd[26846]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=kloggins

We were having an issue with spam because the timestamp was changing. So I rewrote the pattern to match everything after the hostname.

However, this doesn't seem to be working and every time a user "authentication fails", I still get an e-mail.

I've been using the following to test;

logger -p syslog.err 'sshd[26846]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost= user='

Any ideas? I might just be misunderstanding sec. This is the first time I'm working with it! Any help would be greatly appreciated. Thanks!

linux

1 Answers

  1. Best Answer

    Well, after almost a day of hair pulling, I finally understand a) how to do it and b) a misconception I have about sec.

    In reading the sec man page and it describes desc= as essentially showing the match. So in my mind, that meant it should show whatever was matched in pattern. Well, yes, that is true, in this case the match in that pattern is the; hostname, rhost, and user.

    So when I'm doing desc= Login Failure: $0 , I'm keying off the entire line. That's bad.

    So instead I changed it to key off the username and hostname, which then causes it to adhere to the window=300 rule since the timestamp (entire line) wasn't changing; aka, the following rundown;

    /etc/sec/rules.d/ssh.sec

    type=SingleWithSuppress
ptype=regexp
pattern=(\S+) sshd\[\d+\]: PAM \d+ more authentication failures\; logname=.* uid=.* euid=.* tty=ssh ruser=.* rhost=(.*) user=(.*)
desc=Login Failure: $3@$1
action=pipe '%s $0' /bin/mail -s "Login Failure: $3@$1" [email protected]
window=300

    Error Line

    Nov 21 01:58:10 test.test.com sshd[26846]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=test.test.com user=kloggins

    It will notice the user [email protected] and will not report on it unless it happens again after 300 seconds, because it keyed off [email protected].

    I've tested it several times now, it's a 'werkin.

    • 11