Skip to content

Commit c494b40

Browse files
jonasbardinojonasbardino
authored
Limit GDP log monitor noise for own security scanners (#319)
Add ignores to filter GDP project logout log warnings from our known security scanners. Alternatively such logs could be filtered early during emit, but I'll leave that decision to you @Martin-Rehr
2 parents 31f05f3 + 08c3e32 commit c494b40

File tree

2 files changed

+6
-6
lines changed

2 files changed

+6
-6
lines changed

mig/install/migerrors-template.sh.cronjob

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -30,12 +30,12 @@ grep -H "Internal Server Error" $LOGDIR/webdavs.out | tail -n $MAXLINES
3030
grep -H -A 12 "Traceback" $LOGDIR/webdavs.out | tail -n $MAXLINES
3131
3232
grep -H " ERROR " $LOGDIR/ftps.log | \
33-
grep -E -v "ERROR (Invalid user(name)?|auth failed) .* from ${SECSCANIP}|${SECSCANIP}, .* Invalid user(name)?|Invalid username [a-zA-Z0-9._-]* from|ERROR Account disabled or expired" | tail -n $MAXLINES
33+
grep -E -v "ERROR (Invalid user(name)?|auth failed) .* from ${SECSCANIP}|${SECSCANIP}, .* Invalid user(name)?|GDP: Project logout failed for user: .* from ip: ${SECSCANIP} with|Invalid username [a-zA-Z0-9._-]* from|ERROR Account disabled or expired" | tail -n $MAXLINES
3434
3535
grep -H " ERROR " $LOGDIR/sftp*.log | \
36-
grep -E -v "Password authentication failed for|Socket exception: Connection reset by peer|Error reading SSH protocol banner|check_banner|list_folder on missing path|chmod (292|365) rejected on path|symlink rejected on path|ERROR mkdir .* failed: \[Errno 17\] File exists|ERROR rmdir .* failed: \[Errno 39\] Directory not empty|ERROR open .* failed: \[Errno 21\] Is a directory|ERROR open for modify on read-only path|ERROR open existing file on missing path |ERROR Exception.*: Incompatible ssh|ERROR Exception.*: Incompatible version |Exception.*: Invalid SSH banner|ERROR Exception.*: no moduli available|ERROR Exception.*: Expecting packet from \(20,\), got 0|ERROR Socket exception: Connection timed out|ERROR Exception.*: Key-exchange timed out|ERROR (Invalid user(name)?|auth failed) .* from ${SECSCANIP}|${SECSCANIP}, .* Invalid user(name)?|Invalid username [a-zA-Z0-9._-]* from|ERROR Account disabled or expired|ERROR Exception.*: Client kex .* is out of range|ERROR Exception.*: Expecting packet from .*|ERROR $" | tail -n $MAXLINES
36+
grep -E -v "Password authentication failed for|Socket exception: Connection reset by peer|Error reading SSH protocol banner|check_banner|list_folder on missing path|chmod (292|365) rejected on path|symlink rejected on path|ERROR mkdir .* failed: \[Errno 17\] File exists|ERROR rmdir .* failed: \[Errno 39\] Directory not empty|ERROR open .* failed: \[Errno 21\] Is a directory|ERROR open for modify on read-only path|ERROR open existing file on missing path |ERROR Exception.*: Incompatible ssh|ERROR Exception.*: Incompatible version |Exception.*: Invalid SSH banner|ERROR Exception.*: no moduli available|ERROR Exception.*: Expecting packet from \(20,\), got 0|ERROR Socket exception: Connection timed out|ERROR Exception.*: Key-exchange timed out|ERROR (Invalid user(name)?|auth failed) .* from ${SECSCANIP}|${SECSCANIP}, .* Invalid user(name)?|GDP: Project logout failed for user: .* from ip: ${SECSCANIP} with|Invalid username [a-zA-Z0-9._-]* from|ERROR Account disabled or expired|ERROR Exception.*: Client kex .* is out of range|ERROR Exception.*: Expecting packet from .*|ERROR $" | tail -n $MAXLINES
3737
38-
grep -H " ERROR " $LOGDIR/davs.log | grep -E -v "The handshake operation timed out|decryption failed or bad record mac|length too short|no ciphers specified|(unknown error|parse tlsext|https proxy request) \(_ssl.c:\)|SSL/TLS wrap of .* failed unexpectedly:|Failed password login for .* from ${SECSCANIP}|ERROR (Invalid user(name)?|auth failed) .* from ${SECSCANIP}|${SECSCANIP}, .* Invalid user(name)?|Invalid username [a-zA-Z0-9._-]* from|ERROR Account disabled or expired|invalid share mode (write|read)-only for " | tail -n $MAXLINES
38+
grep -H " ERROR " $LOGDIR/davs.log | grep -E -v "The handshake operation timed out|decryption failed or bad record mac|length too short|no ciphers specified|(unknown error|parse tlsext|https proxy request) \(_ssl.c:\)|SSL/TLS wrap of .* failed unexpectedly:|Failed password login for .* from ${SECSCANIP}|ERROR (Invalid user(name)?|auth failed) .* from ${SECSCANIP}|${SECSCANIP}, .* Invalid user(name)?|GDP: Project logout failed for user: .* from ip: ${SECSCANIP} with|Invalid username [a-zA-Z0-9._-]* from|ERROR Account disabled or expired|invalid share mode (write|read)-only for " | tail -n $MAXLINES
3939
4040
grep -H " ERROR " $LOGDIR/chkchroot.log | grep -E -v " from ${SECSCANIP} "| \
4141
grep -E -v "__CRACK_WEB_REGEX__" | \

tests/fixture/confs-stdlocal/migerrors

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -30,12 +30,12 @@ grep -H "Internal Server Error" $LOGDIR/webdavs.out | tail -n $MAXLINES
3030
grep -H -A 12 "Traceback" $LOGDIR/webdavs.out | tail -n $MAXLINES
3131
3232
grep -H " ERROR " $LOGDIR/ftps.log | \
33-
grep -E -v "ERROR (Invalid user(name)?|auth failed) .* from ${SECSCANIP}|${SECSCANIP}, .* Invalid user(name)?|Invalid username [a-zA-Z0-9._-]* from|ERROR Account disabled or expired" | tail -n $MAXLINES
33+
grep -E -v "ERROR (Invalid user(name)?|auth failed) .* from ${SECSCANIP}|${SECSCANIP}, .* Invalid user(name)?|GDP: Project logout failed for user: .* from ip: ${SECSCANIP} with|Invalid username [a-zA-Z0-9._-]* from|ERROR Account disabled or expired" | tail -n $MAXLINES
3434
3535
grep -H " ERROR " $LOGDIR/sftp*.log | \
36-
grep -E -v "Password authentication failed for|Socket exception: Connection reset by peer|Error reading SSH protocol banner|check_banner|list_folder on missing path|chmod (292|365) rejected on path|symlink rejected on path|ERROR mkdir .* failed: \[Errno 17\] File exists|ERROR rmdir .* failed: \[Errno 39\] Directory not empty|ERROR open .* failed: \[Errno 21\] Is a directory|ERROR open for modify on read-only path|ERROR open existing file on missing path |ERROR Exception.*: Incompatible ssh|ERROR Exception.*: Incompatible version |Exception.*: Invalid SSH banner|ERROR Exception.*: no moduli available|ERROR Exception.*: Expecting packet from \(20,\), got 0|ERROR Socket exception: Connection timed out|ERROR Exception.*: Key-exchange timed out|ERROR (Invalid user(name)?|auth failed) .* from ${SECSCANIP}|${SECSCANIP}, .* Invalid user(name)?|Invalid username [a-zA-Z0-9._-]* from|ERROR Account disabled or expired|ERROR Exception.*: Client kex .* is out of range|ERROR Exception.*: Expecting packet from .*|ERROR $" | tail -n $MAXLINES
36+
grep -E -v "Password authentication failed for|Socket exception: Connection reset by peer|Error reading SSH protocol banner|check_banner|list_folder on missing path|chmod (292|365) rejected on path|symlink rejected on path|ERROR mkdir .* failed: \[Errno 17\] File exists|ERROR rmdir .* failed: \[Errno 39\] Directory not empty|ERROR open .* failed: \[Errno 21\] Is a directory|ERROR open for modify on read-only path|ERROR open existing file on missing path |ERROR Exception.*: Incompatible ssh|ERROR Exception.*: Incompatible version |Exception.*: Invalid SSH banner|ERROR Exception.*: no moduli available|ERROR Exception.*: Expecting packet from \(20,\), got 0|ERROR Socket exception: Connection timed out|ERROR Exception.*: Key-exchange timed out|ERROR (Invalid user(name)?|auth failed) .* from ${SECSCANIP}|${SECSCANIP}, .* Invalid user(name)?|GDP: Project logout failed for user: .* from ip: ${SECSCANIP} with|Invalid username [a-zA-Z0-9._-]* from|ERROR Account disabled or expired|ERROR Exception.*: Client kex .* is out of range|ERROR Exception.*: Expecting packet from .*|ERROR $" | tail -n $MAXLINES
3737
38-
grep -H " ERROR " $LOGDIR/davs.log | grep -E -v "The handshake operation timed out|decryption failed or bad record mac|length too short|no ciphers specified|(unknown error|parse tlsext|https proxy request) \(_ssl.c:\)|SSL/TLS wrap of .* failed unexpectedly:|Failed password login for .* from ${SECSCANIP}|ERROR (Invalid user(name)?|auth failed) .* from ${SECSCANIP}|${SECSCANIP}, .* Invalid user(name)?|Invalid username [a-zA-Z0-9._-]* from|ERROR Account disabled or expired|invalid share mode (write|read)-only for " | tail -n $MAXLINES
38+
grep -H " ERROR " $LOGDIR/davs.log | grep -E -v "The handshake operation timed out|decryption failed or bad record mac|length too short|no ciphers specified|(unknown error|parse tlsext|https proxy request) \(_ssl.c:\)|SSL/TLS wrap of .* failed unexpectedly:|Failed password login for .* from ${SECSCANIP}|ERROR (Invalid user(name)?|auth failed) .* from ${SECSCANIP}|${SECSCANIP}, .* Invalid user(name)?|GDP: Project logout failed for user: .* from ip: ${SECSCANIP} with|Invalid username [a-zA-Z0-9._-]* from|ERROR Account disabled or expired|invalid share mode (write|read)-only for " | tail -n $MAXLINES
3939
4040
grep -H " ERROR " $LOGDIR/chkchroot.log | grep -E -v " from ${SECSCANIP} "| \
4141
grep -E -v "((HNAP1|GponForm|provisioning|provision|prov|polycom|yealink|CertProv|phpmyadmin|admin|cfg|wp|wordpress|cms|blog|old|new|test|dev|tmp|temp|remote|mgmt|properties|authenticate|tmui|ddem|a2billing|vtigercrm|secure|rpc|recordings|dana-na)(/.*|)|.*(Login|login|logon|configuration|header|admin|index)\.(php|jsp|asp)|(api/v1/pods|Telerik.Web.UI.WebResource.axd))" | \

0 commit comments

Comments
 (0)