###
###	ssh daemons
### $Id: ssh.txt,v 1.1 2002/03/09 18:26:23 emf Exp $
###

###
### SSH 
###
'.* sshd\[.* Generating new .* key.*' - - - 0 ignore
'.* sshd\[.* key generation complete.*' - - - 0 ignore
'.* sshd\[.* error: accept: Connection reset by peer' - - - 0 ignore
'.* sshd\[.* Warning:.* keysize mismatch: actual 1023 vs. announced 1024.' - - - 0 ignore
'^.{16,}(.*) sshd\[.* (Accepted|Postponed) (.*) for (.*) from (.*) port (.*).*' - - - 0 ignore
'^.{16,}(.*) sshd\[.* log: Connection from (.*) port (.*)' - - - 0 ignore
'^.{16,}(.*) sshd\[.* log: RSA authentication for (.*) accepted.*' - - - 0 ignore
'^.{16,}(.*) sshd\[.* Setting tty modes failed: Invalid argument.*' - - - 0 ignore
'^.{15,} (.*) sshd\[.* log: Could not reverse map address (.*)' - - - 0 ignore
'^.{15,} (.*) sshd\[.* log: (Closing connection to|Connection closed by) (.*)' - - - 0 ignore
'^.{15,} (.*) sshd\[.* Did not receive (ident|identification) string from (.*)' - - - 0
	open "$4" - 5000 1800 90
        report "/usr/local/bin/surfmailer -r root -S \"security incident from $4\"" "$4" 
'^.{15,} (.*) sshd\[.* Bad protocol version identification .* from (.*)' - - - 0
	open "$3" - 5000 1800 90
	report "/usr/local/bin/surfmailer -r root -S \"security incident from $3\"" "$3"
'^.{15,} (.*) sshd\[.* scanned from (.*) with SSH-1.0-SSH_Version_Mapper' - - - 0
	open "$3" - 5000 1800 90
	report "/usr/local/bin/surfmailer -r root -S \"security incident from $3\" (scanssh)" "$3"
'^.{15,} (.*) sshd\[.* Disconnecting: Corrupted check bytes on input.' - - - 0
	open "$2" - 100 1800 90
        report "/usr/local/bin/surfmailer -r root -S \"Possible SSH Attack in progress against $2\"" "$2" 
'^.{15,} (.*) sshd\[(.*)\]: Failed password for (.*) from (.*) port .*' - - - 0
	open "$2 sshd:\\[$3\\]:" - 5000 10800 300
	report "/usr/local/bin/surfmailer -r root -S \"SSH LOGIN FAILED for $4@$2 from $5\"" "$2 sshd:\\[$3\\]:"

