Expand SSH and cron filters

Cron is pretty much done, SSH needs some more work.
strugee · Nov 30, 2017 · 4a17536 · 4a17536
1 parent a1a1949
commit 4a17536
Showing 1 changed file with 29 additions and 1 deletion.
diff --git a/usr/local/bin/find-interesting-logs b/usr/local/bin/find-interesting-logs
@@ -6,8 +6,36 @@ cd /var/log
 # TODO sendmail.st and utx.* are apparently garbage?
 # TODO investigate setuid.today
 # TODO normalize Tor log dates
+# TODO don't invoke like a thousand `grep` processes
+
+filter_cron() {
+	egrep -v '/usr/sbin/cron\[[[:digit:]]{3,7}\]: \(root\) CMD \(/usr/libexec/atrun\)' \
+	| egrep -v '/usr/sbin/cron\[[[:digit:]]{3,7}\]: \(operator\) CMD \(/usr/libexec/save-entropy\)' \
+	| egrep -v '/usr/sbin/cron\[[[:digit:]]{3,7}\]: \(root\) CMD \(newsyslog\)' \
+	| egrep -v '/usr/sbin/cron\[[[:digit:]]{3,7}\]: \(root\) CMD \(adjkerntz -a\)' \
+	| egrep -v '/usr/sbin/cron\[[[:digit:]]{3,7}\]: \(root\) CMD \(periodic daily\)' \
+	| egrep -v '/usr/sbin/cron\[[[:digit:]]{3,7}\]: \(root\) CMD \(periodic weekly\)' \
+	| egrep -v '/usr/sbin/cron\[[[:digit:]]{3,7}\]: \(root\) CMD \(periodic monthly\)'
+}
+
+filter_sshd() {
+	# https://stackoverflow.com/a/5284410/1198896
+	IP_REGEX='(:?[[:digit:]]{1,3}.?){4}'
+	egrep -v 'sshd\[[[:digit:]]{3,7}\]: Invalid user [[:alnum:]]+ from '"$IP_REGEX"'$' \
+	| egrep -v 'sshd\[[[:digit:]]{3,7}\]: input_userauth_request: invalid user [[:alnum:]]+ \[preauth\]$' \
+	| egrep -v 'sshd\[[[:digit:]]{3,7}\]: error: maximum authentication attempts exceeded for [[:alnum:]]+ from '"$IP_REGEX"' port [[:digit:]]+ ssh2 \[preauth\]' \
+	| egrep -v 'sshd\[[[:digit:]]{3,7}\]: error: maximum authentication attempts exceeded for invalid user [[:alnum:]]+ from '"$IP_REGEX"' port [[:digit:]]+ ssh2 \[preauth\]' \
+	| egrep -v 'sshd\[[[:digit:]]{3,7}\]: error: authentication error for illegal user [[:alnum:]]+ from '"$IP_REGEX"'$' \
+	| egrep -v 'sshd\[[[:digit:]]{3,7}\]: Received disconnect from '"$IP_REGEX"' port [[:digit:]]{4,5}:[[:digit:]]+: disconnected by user$' \
+	| egrep -v 'sshd\[[[:digit:]]{3,7}\]: Disconnected from '"$IP_REGEX"' port [[:digit:]]{4,5}$' \
+	| egrep -v 'sshd\[[[:digit:]]{3,7}\]: Connection closed by '"$IP_REGEX"' port [[:digit:]]{4,5} \[preauth\]$' \
+	| egrep -v 'sshd\[[[:digit:]]{3,7}\]: Connection closed by '"$IP_REGEX"' port [[:digit:]]{4,5}$' \
+	| egrep -v 'sshd\[[[:digit:]]{3,7}\]: Accepted publickey for ec2-user from '"$IP_REGEX"' port [[:digit:]]{4,5} ssh2: RSA SHA256:F0gdpVLYxUP8XO2Vq8ouk5UM72bITq9j4w7vi8jIFRw$'
+}
 
 # sed '' tor/notices.log
 cat auth.log cron debug.log devd.log lpd-errs maillog messages mount.today ppp.log security userlog xferlog \
 | filter-other-days \
-| grep -v 'logfile first created' \
+| fgrep -v 'logfile first created' \
+| filter_cron \
+| filter_sshd