##########################################################################
# $Id: sshd,v 1.44 2005/05/21 22:47:48 bjorn Exp $
##########################################################################
# $Log: sshd,v $
# Revision 1.44  2005/05/21 22:47:48  bjorn
# Provide summary per IP address, cleaned up "illegal" vs. "invalid"
# usage, removed duplicate code, all submitted by Gilles Detillieux
#
# Revision 1.43  2005/04/20 17:19:32  bjorn
# Remove pam_unix, for Debian
#
# Revision 1.42  2005/04/17 23:29:23  bjorn
# Reporting changes and pam filtering from Paweł Gołaszewski and Willi Mann
#
# Revision 1.41  2005/02/24 17:08:05  kirk
# Applying consolidated patches from Mike Tremaine
#
# Revision 1.9  2005/02/13 22:50:46  mgt
# patches from Pawel -mgt
#
# Revision 1.8  2005/02/13 21:26:13  mgt
# patches from Michael Weiser -mgt
#
# Revision 1.7  2005/02/13 21:03:40  mgt
# Patch from Jeffery ? -mgt
#
# Revision 1.6  2004/10/06 21:40:44  mgt
# Patches from Kenneth -mgt
#
# Revision 1.5  2004/07/29 19:33:29  mgt
# Chmod and removed perl call -mgt
#
# Revision 1.4  2004/07/27 00:23:07  mgt
# Suse 9.1 fix -mgt
#
# Revision 1.3  2004/07/10 01:54:36  mgt
# sync with kirk -mgt
#
# Revision 1.38  2004/06/23 15:01:17  kirk
# - Added more patches from blues@ds.pg.gda.pl
#
# Revision 1.37  2004/02/03 19:13:14  kirk
# More Solaris patches from Sean Boran <sean@boran.com>
#
# Revision 1.36  2004/02/03 18:39:34  kirk
# Patches from [ISO-8859-2] Pawe? Go?aszewski" <blues@ds.pg.gda.pl>
#
# Revision 1.35  2004/02/03 03:52:20  kirk
# Added mailscanner filter and more Solaris support from Mike Tremaine <mgt@stellarcore.net>
#
# Revision 1.34  2004/02/03 02:45:26  kirk
# Tons of patches, and new 'oidentd' and 'shaperd' filters from
# Pawe? Go?aszewski" <blues@ds.pg.gda.pl>
#
##########################################################################

########################################################
# This was written and is maintained by:
#    Kirk Bauer <kirk@kaybee.org>
#
# Please send all comments, suggestions, bug reports,
#    etc, to logwatch-devel@logwatch.org
########################################################

use Logwatch ':all';

$Debug = ValueOrDefault($ENV{'LOGWATCH_DEBUG'}, 0);
$Detail = ValueOrDefault($ENV{'LOGWATCH_DETAIL_LEVEL'}, 0);

# Avoid "Use of uninitialized value" warning messages.
sub ValueOrDefault {
	my ($value, $default) = @_;
	return ($value ? $value : $default);
}

# No sense in running if 'sshd' doesn't even exist on this system...
#unless (( -f "/usr/sbin/sshd" ) or ( -f "/usr/local/sbin/sshd") or ( -f "/usr/lib/ssh/sshd")) {
#	exit (0);
#}

my $sftpRequests = 0;

if ( $Debug >= 5 ) {
	print STDERR "\n\nDEBUG: Inside SSHD Filter \n\n";
	$DebugCounter = 1;
}

while (defined($ThisLine = <STDIN>)) {
   if ( $Debug >= 5 ) {
      print STDERR "DEBUG($DebugCounter): $ThisLine";
      $DebugCounter++;
   }
   chomp($ThisLine);
   if (
       ($ThisLine =~ /^pam_succeed_if: requirement "uid < 100" not met by user /) or
       ($ThisLine =~ m/^(log: )?$/ ) or
       ($ThisLine =~ m/^(log: )?\^\[\[60G/ ) or
       ($ThisLine =~ m/^(log: )? succeeded$/ ) or
       ($ThisLine =~ m/^(log: )?Closing connection to/) or
       ($ThisLine =~ m/^(log: )?Starting sshd:/ ) or
       ($ThisLine =~ m/^(log: )?sshd \-TERM succeeded/ ) or
       ($ThisLine =~ m/^Bad protocol version identification .*:? [\d.]+/ ) or
       ($ThisLine =~ m/^Bad protocol version identification.*Big-Brother-Monitor/ ) or
       ($ThisLine =~ m/^Connection closed by/) or
       ($ThisLine =~ m/^Disconnecting: Command terminated on signal \d+/) or
       ($ThisLine =~ m/^connect from \d+\.\d+\.\d+\.\d+/) or
       ($ThisLine =~ m/^fatal: Timeout before authentication/ ) or
       ($ThisLine =~ m/Connection from .* port /) or
       ($ThisLine =~ m/Postponed keyboard-interactive for [^ ]+ from [^ ]+/) or
       ($ThisLine =~ m/Read from socket failed/) or
       ($ThisLine =~ m/sshd startup\s+succeeded/) or
       ($ThisLine =~ m/sshd shutdown\s+succeeded/) or
       ($ThisLine =~ m/^Invalid user \S+ from [^ ]+/) or 
       ($ThisLine =~ m/^\(pam_unix\) .*/)
   ) {
      # Ignore these
   } elsif ($ThisLine =~ /^Accepted (\S+) for (\S+) from ([\d\.:a-f]+) port (\d+)/) {
      if ($Debug >= 5) {
         print STDERR "DEBUG: Found -$2 logged in from $3 using $1\n";
      }
      if ($Detail >= 20) {
         $Users{$2}{$3}{$1}++;
      } else {
         $Users{$2}{$3}{"(all)"}++;
      }
   } elsif ( ($Method, undef,$User,$Host,$Port) = ($ThisLine =~ m/^Failed (\S+) for (illegal|invalid) user (.*) from ([^ ]+) port (\d+)/ ) ) { #openssh
      $IllegalUsers{$Host}{"$User/$Method"}++;
   } elsif ( ($User) = ( $ThisLine =~ /Disconnecting: Too many authentication failures for ([^ ]+)/)) {
      $TooManyFailures{$User}++;
   } elsif ( (undef,$User) = ($ThisLine =~ /^input_userauth_request: (illegal|invalid) user (.*)$/ )) {
      $IllegalUsers{"unknown"}{"$User/none"}++;
   } elsif ( (undef,$User,$Host) =($ThisLine =~ m/^(Illegal|Invalid) user (.*) from ([^ ]+)/ ) ) { #redhat thing
      # Actually we won't count these because they're always followed by a
      # failed login entry...
      #$IllegalUsers{$Host}{"$User/none"}++;
   } elsif ( $ThisLine =~ m/^(fatal: )?Did not receive ident(ification)? string from (.+)/ ) { # ssh/openssh
      $name = LookupIP($3);
      $NoIdent{$name}++;
   } elsif ( ($Host) = ($ThisLine =~ /Could not write ident string to ([^ ]+)$/ )) {
      $name = LookupIP($Host);
      $NoIdent{$name}++;
   } elsif (
      ($ThisLine =~ m/^fatal: Connection closed by remote host\./ ) or
      ($ThisLine =~ m/^fatal: Read error from remote host: Connection reset by peer/ ) or
      ($ThisLine =~ m/^fatal: Read from socket failed: No route to host/) or
      ($ThisLine =~ m/^fatal: Write failed: Network is unreachable/ ) or
      ($ThisLine =~ m/^fatal: Write failed: Broken pipe/) or
      ($ThisLine =~ m/^error: chan_shutdown_read failed for .+/)
   ) {
      $NetworkErrors++;
   } elsif ( $ThisLine =~ m/^(log: )?Received (signal 15|SIG...); (terminating|restarting)\./) { #ssh/openssh
      $Kills++;
      if ( $Debug >= 5 ) {
         print STDERR "DEBUG: Found -Signal 15 Terminating- line\n";
      }
   } elsif ( $ThisLine =~ m/^(log: )?Server listening on( [^ ]+)? port \d+/ ) { #ssh/openssh
      $Starts++;
      if ( $Debug >= 5 ) {
         print STDERR "DEBUG: Found -Listening on port 22- line\n";
      }
   } elsif ( ($Port,$Address,$Reason) = ($ThisLine =~ /^error: Bind to port ([^ ]+) on ([^ ]+) failed: (.+).$/ )) {
      $Temp = "$Address port $Port ($Reason)";
      $BindFailed{$Temp}++;
   } elsif ( $ThisLine =~ m/^(log: )?Generating .* \w+ key\./ ) { # ssh/openssh
      # Don't care about this...
      if ( $Debug >= 5 ) {
         print STDERR "DEBUG: Found -Generating RSA key- line\n";
      }
   } elsif ( $ThisLine =~ m/^packet_set_maxsize: /) {
      if ( $Debug >= 5 ) {
         print STDERR "DEBUG: Found -packet_set_maxsize- line\n";
      }
   } elsif ( $ThisLine =~ m/^(log: )?\w+ key generation complete\./ ) { # ssh/openssh
      # Don't care about this...
      if ( $Debug >= 5 ) {
         print STDERR "DEBUG: Found -Keygen complete- line\n";
      }
   } elsif ( ($Method,$User,$Host,undef) = ( $ThisLine =~ m/^Failed (\w+) for (\S+) from ([^ ]+) port (\d+)/ ) ) { #openssh
      # depending on log mode, openssh may not report these in connection context.
      if ( $Debug >= 5 ) {
         print STDERR "DEBUG: Found -Failed login- line\n";
      }
      $BadLogins{$Host}{"$User/$Method"}++;
   } elsif ($ThisLine =~ s/^(log: )?Could not reverse map address ([^ ]*).*$/$2/) {
      $NoRevMap{$ThisLine}++;
   } elsif ( ($Address) = ($ThisLine =~ /^reverse mapping checking getaddrinfo for ([^ ]*) failed - POSSIBLE BREAKIN ATTEMPT!/)) {
      $NoRevMap{$Address}++;
   } elsif ( ($IP,$Address) = ($ThisLine =~ /^Address ([^ ]*) maps to ([^ ]*), but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!/)) {
      $NoRevMap{"$Address($IP)"}++;
   } elsif ( (undef,$Address) = ($ThisLine =~ /^warning: ([^ ]*), line \d+: can't verify hostname: getaddrinfo\(([^ ]*), AF_INET\) failed$/)) {
      $NoRevMap{$Address}++;
   } elsif ( $ThisLine =~ m/subsystem request for sftp/ ) {
      $sftpRequests++;
   } elsif ( $ThisLine =~ m/refused connect from (.*)$/ ) {
      $RefusedConnections{$1}++;
   } elsif ( ($Reason) = ($ThisLine =~ /^Authentication refused: (.*)$/ ) ) {
      $RefusedAuthentication{$Reason}++;
   } elsif ( ($Host,$Reason) = ($ThisLine =~ /^Received disconnect from ([^ ]*): (.*)$/)) {
      $DisconnectReceived{$Reason}{$Host}++;
   } elsif ( ($Host) = ($ThisLine =~ /^ROOT LOGIN REFUSED FROM ([^ ]*)$/)) {
      $RootLogin{$Host}++;
   } elsif ( ($Error) = ($ThisLine =~ /^Cannot release PAM authentication\[\d\]: (.*)$/)) {
      $PamReleaseFail{$Error}++;
   } elsif ( ($Error) = ( $ThisLine =~ m/^error: PAM: (.*)$/)) {
      $PamError{$Error}++;
   } elsif ( ($Error) = ( $ThisLine =~ m/^error: Could not get shadow information for (.*)$/)) {
      $ShadowInfo{$Error}++;
   } elsif ( ($Reason) = ($ThisLine =~ /^Setting tty modes failed: (.*)$/)) {
      $TTYModesFail{$Reason}++;
   } elsif ( ($User,undef) = ($ThisLine =~ /^User ([^ ]*) not allowed because ([^ ]*) exists$/)) {
      $LoginLock{$User}++;
   } elsif ( ($Method,$User,$Host) = ($ThisLine =~ /^Postponed ([^ ]*) for (invalid user [^ ]*|illegal user [^ ]*|[^ ]*) from ([^ ]*) port \d+ ssh/)) {
      $PostPonedAuth{"$User/$Method"}{$Host}++;
      $IllegalUsers{$Host}{"$User/$Method"}++;
   } elsif ( ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because account is locked/)) {
      $LockedAccount{$User}++;
   } elsif ( ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because not listed in AllowUsers/)) {
      $AllowUsers{$User}++;
   } elsif ( ($IP) = ($ThisLine =~ /^scanned from ([^ ]*)/) ) {
      push @Scanned, LookupIP($IP);
   } elsif ( ($Line,$Option) = ($ThisLine =~ /^rexec line (\d+): Deprecated option (.*)$/)) {
      $DeprecatedOption{"$Option - line $Line"}++;
   } else {
      # Report any unmatched entries...
      unless ($ThisLine =~ /fwd X11 connect/) {
         push @OtherList, "$ThisLine\n";
      }
   }
}

###########################################################

if ($NetworkErrors) {
   print "\nNetwork Read Write Errors: " . $NetworkErrors . "\n";
}
if ($Kills) {
   print "\nSSHD Killed: " . $Kills . " Time(s)\n";
}
if ($Starts) {
   print "\nSSHD Started: " . $Starts . " Time(s)\n";
}

if (keys %DeprecatedOption) {
   print "\nDeprecated options in SSH config:\n";
   foreach $Option (sort {$a cmp $b} keys %DeprecatedOption) {
      print "   $Option\n";
   }
}

if (keys %RootLogin) {
   print "\n\nWARNING!!!\n";
   print "Refused ROOT login attempt from:\n";
   foreach $Host (sort {$a cmp $b} keys %RootLogin) {
      print "   $Host : $RootLogin{$Host} Time(s)\n";
   }
}

if (keys %BindFailed) {
   print "\nFailed to bind:\n";
   foreach $ThisOne (sort {$a cmp $b} keys %BindFailed) {
      print "   $ThisOne : $BindFailed{$ThisOne} Time(s)\n";
   }
}

if ($Detail >= 10) {
   if (keys %NoRevMap) {
      print "\nCouldn't resolve these IPs:\n";
      foreach $ThisOne (sort {$a cmp $b} keys %NoRevMap) {
         print "   $ThisOne: $NoRevMap{$ThisOne} Time(s)\n";
      }
   }
   if (keys %NoIdent) {
      print "\nDidn't receive an ident from these IPs:\n";
      foreach $ThisOne (sort {$a cmp $b} keys %NoIdent) {
         print "   $ThisOne: $NoIdent{$ThisOne} Time(s)\n";
      }
   }
}

if ($#BadRSA >= 0) {
   print "\nReceived a bad response to RSA challenge from these:\n";
   foreach $ThisOne (@BadRSA) {
      print "   $ThisOne\n";
   }
}

if (keys %TooManyFailures) {
   print "\nDisconnecting after too many authentication failures for user:\n";
   foreach $User (sort {$a cmp $b} keys %TooManyFailures) {
      print "   $User : $TooManyFailures{$User} Time(s)\n";
   }
}

if (keys %BadLogins) {
   print "\nFailed logins from these:\n";
   foreach $ip (sort SortIP keys %BadLogins) {
      my $name = LookupIP($ip);
      my $totcount = 0;
      foreach my $user (keys %{$BadLogins{$ip}}) {
         $totcount += $BadLogins{$ip}{$user};
      }
      my $plural = ($totcount > 1) ? "s" : "";
      print "   $name: $totcount time$plural\n";
      if ($Detail >= 5) {
         my $sort = CountOrder(%{$BadLogins{$ip}});
         foreach my $user (sort $sort keys %{$BadLogins{$ip}}) {
            my $val = $BadLogins{$ip}{$user};
            my $plural = ($val > 1) ? "s" : "";
            print "      $user: $val time$plural\n";
         }
      }
   }
}

if (keys %IllegalUsers) {
   print "\nIllegal users from these:\n";
   foreach $ip (sort SortIP keys %IllegalUsers) {
      my $name = LookupIP($ip);
      my $totcount = 0;
      foreach my $user (keys %{$IllegalUsers{$ip}}) {
         $totcount += $IllegalUsers{$ip}{$user};
      }
      my $plural = ($totcount > 1) ? "s" : "";
      print "   $name: $totcount time$plural\n";
      if ($Detail >= 5) {
         my $sort = CountOrder(%{$IllegalUsers{$ip}});
         foreach my $user (sort $sort keys %{$IllegalUsers{$ip}}) {
            my $val = $IllegalUsers{$ip}{$user};
            my $plural = ($val > 1) ? "s" : "";
            print "      $user: $val time$plural\n";
         }
      }
   }
}

if (keys %LockedAccount) {
   print "\nLocked account login attempts:\n";
   foreach $User (sort {$a cmp $b} keys %LockedAccount) {
      print "   $User : $LockedAccount{$User} Time(s)\n";
   }
}

if (keys %AllowUsers) {
   print "\nLogin attempted when not in AllowUsers list:\n";
   foreach $User (sort {$a cmp $b} keys %AllowUsers) {
      print "   $User : $AllowUsers{$User} Time(s)\n";
   }
}

if ((keys %LoginLock) and ($Detail >= 5)) {
   print "\nUser login attempt when nologin was set:\n";
   foreach $User (sort {$a cmp $b} keys %LoginLock) {
      print "   $User : $LoginLock{$User} Time(s)\n";
   }
}

if (keys %PostPonedAuth) {
   print "\nPostponed authentication:\n";
   foreach $User (sort {$a cmp $b} keys %PostPonedAuth) {
      print "   $User:\n";
      foreach $Host (sort {$a cmp $b} keys %{$PostPonedAuth{$User}}) {
         print "      $Host: $PostPonedAuth{$User}{$Host} Time(s)\n";
      }
   }
}

if (keys %Users) {
   print "\nUsers logging in through sshd:\n";
   foreach $user (sort {$a cmp $b} keys %Users) {
      print "   $user:\n";
      my $totalSort = TotalCountOrder(%{$Users{$user}}, \&SortIP);
      foreach my $ip (sort $totalSort keys %{$Users{$user}}) {
         my $name = LookupIP($ip);
         if ($Detail >= 20) {
            print "      $name:\n";
            my $sort = CountOrder(%{$Users{$user}{$ip}});
            foreach my $method (sort $sort keys %{$Users{$user}{$ip}}) {
               my $val = $Users{$user}{$ip}{$method};
               my $plural = ($val > 1) ? "s" : "";
               print "         $method: $val time$plural\n";
            }
         } else {
            my $val = (values %{$Users{$user}{$ip}})[0];
            my $plural = ($val > 1) ? "s" : "";
            print "      $name: $val time$plural\n";
         }
      }
   }
}

if (keys %RefusedAuthentication) {
   print "\n\nAuthentication refused:\n";
   foreach $Reason (sort {$a cmp $b} keys %RefusedAuthentication) {
      print "   $Reason : $RefusedAuthentication{$Reason} Time(s)\n";
   }
}

if (keys %DisconnectReceived) {
   print "\n\nReceived disconnect:\n";
   foreach $Reason (sort {$a cmp $b} keys %DisconnectReceived) {
      print "   $Reason\n";
      foreach $Host (sort {$a cmp $b} keys %{$DisconnectReceived{$Reason}}) {
         print "      $Host : $DisconnectReceived{$Reason}{$Host} Time(s)\n";
      }
   }
}

if ($#Scanned >= 0) {
   print "\nScanned from these:\n";
   foreach $ThisOne (sort SortIP @Scanned) {
      print "   " . $ThisOne . "\n";
   }
}

if (keys %RefusedConnections) {
   print "\nRefused incoming connections:\n";
   foreach my $badguy (sort {$a cmp $b} keys %RefusedConnections ) {
      print "      $badguy: " . $RefusedConnections{$badguy} . " Time(s)\n";
   }
}

if (keys %PamReleaseFail) {
   print "\nCannot release PAM authentication:\n";
   foreach $Error (sort {$a cmp $b} keys %PamReleaseFail) {
      print "   $Error : $PamReleaseFail{$Error} Time(s)\n";
   }
}

if (keys %ShadowInfo) {
   print "\nCould not get shadow information for:\n";
   foreach $Error (sort {$a cmp $b} keys %ShadowInfo) {
      print "   $Error : $ShadowInfo{$Error} Time(s)\n";
   }
}

if (keys %PamError) {
   print "\nError in PAM authentication:\n";
   foreach $Error (sort {$a cmp $b} keys %PamError) {
      print "   $Error : $PamError{$Error} Time(s)\n";
   }
}

if (keys %TTYModesFail) {
   print "\nSetting tty modes failed:\n";
   foreach $Reason (sort {$a cmp $b} keys %TTYModesFail) {
      print "   $Reason : $TTYModesFail{$Reason} Time(s)\n";
   }
}

if ($sftpRequests > 0) {
   print "\nSFTP subsystem requests: $sftpRequests Time(s)\n";
}

if ($#OtherList >= 0) {
   print "\n**Unmatched Entries**\n";
   print @OtherList;
}

exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et
