#### SSH
Apr 10 02:43:29 quasar sshd[50112]: Connection closed by 66.240.236.119 [preauth]
100 66.240.236.119 4 2
M
Apr 10 02:43:29 quasar sshd[50112]: Connection closed by 2001:db8::a11:beef:7ac0 [preauth]
100 2001:db8::a11:beef:7ac0 6 2
M
Jun 19 09:08:14 isori sshd[93628]: Connection closed by authenticating user root 192.168.7.7 port 42728 [preauth]
100 192.168.7.7 4 2
M
#
# Starting here, for now - jseymour
#
Apr 10 13:50:24 quasar sshd[53269]: error: Received disconnect from 95.9.156.208: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
*
M
Apr 10 13:50:24 quasar sshd[53269]: error: Received disconnect from 2001:db8::a11:beef:7ac0: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
*
M
Apr 10 06:55:42 quasar sshd[50880]: Received disconnect from 130.207.203.56: 11: These aren't the droids we're looking for. [preauth]
*
M
Apr 10 06:55:42 quasar sshd[50880]: Received disconnect from 2001:db8::a11:beef:7ac0: 11: These aren't the droids we're looking for. [preauth]
*
M
Apr  9 13:24:07 quasar sshd[44787]: Received disconnect from 103.237.33.58: 11: Bye Bye [preauth]
*
M
Apr  9 13:24:07 quasar sshd[44787]: Received disconnect from 2001:db8::a11:beef:7ac0: 11: Bye Bye [preauth]
*
M
Jun 20 02:18:39 vps auth.info sshd[13482]: Invalid user admin from 192.168.2.2
100 192.168.2.2 4 10
M
Jun 20 02:18:39 vps auth.info sshd[13482]: Invalid user admin from 2001:db8::a11:beef:7ac0
100 2001:db8::a11:beef:7ac0 6 10
M
May 29 14:44:30 epsilon sshd[4564]: error: Received disconnect from 192.168.2.200: 14: No supported authentication methods available [preauth]
*
M
May 29 14:44:30 epsilon sshd[4564]: error: Received disconnect from 2001:db8::a11:beef:7ac0: 14: No supported authentication methods available [preauth]
*
M
Jul  4 13:55:09 karpov sshd[64301]: Disconnecting invalid user user 10.42.42.42 port 38987: Change of username or service not allowed: (user,ssh-connection) -> (manager,ssh-connection) [preauth]
100 10.42.42.42 4 10
M
Dec  1 06:25:27 server sshd[19956]: Accepted publickey for User from 1.2.3.4 port 21563 ssh2: RSA SHA256:...
*
M
Dec  1 06:25:27 server sshd[19471]: Received disconnect from 1.2.3.4 port 60058:11: disconnected by user
*
M
Dec  1 06:25:27 server sshd[19471]: Disconnected from 1.2.3.4 port 60058
*
M
#
# I'm up to here - jseymour
#

#### Remote SSHGuard

#### Mail
Oct 19 19:56:07 longbeach postfix/smtpd[2309]: warning: unknown[199.19.110.207]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
260 199.19.110.207 4 10
M
Oct 19 19:56:07 longbeach postfix/smtpd[2309]: warning: unknown[2001:db8::a11:beef:7ac0]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
260 2001:db8::a11:beef:7ac0 6 10
M
Dec 13 09:32:50 marcos postfix/smtpd[24754]: lost connection after AUTH from rrcs-24-213-217-114.nys.biz.rr.com[24.213.217.114]
260 24.213.217.114 4 10
M
Dec 13 09:32:50 marcos postfix/smtpd[24754]: lost connection after AUTH from rrcs-24-213-217-114.nys.biz.rr.com[2001:db8::a11:beef:7ac0]
260 2001:db8::a11:beef:7ac0 6 10
M
# TBD: should be svc 260, not 0
Jun 20 16:46:17 ares postgrey[919]: action=greylist, reason=early-retry (295s missing), client_name=r244.mail.kbc.be, client_address=172.82.231.244, sender=bounce@mail.kbc.be, recipient=lilydehoux@zeelandned.nl
0 172.82.231.244 4 2
M
Sep  6 11:47:43 poseidon postfix/postscreen[14766]: PREGREET 14 after 0.04 from [1.2.3.4]:55868: EHLO ylmf-pc\r\n
260 1.2.3.4 4 10
M
Sep 10 07:01:57 poseidon postfix/postscreen[25914]: DNSBL rank 3 for [1.2.3.4]:64273
260 1.2.3.4 4 10
M
Sep  6 11:47:43 poseidon postfix/postscreen[14766]: HANGUP after 0.07 from [1.2.3.4]:55868 in tests after SMTP handshake
260 1.2.3.4 4 10
M

#### OpenSMTPD

#### SMTP
# TBD: should be svc 280, not 0
Nov 20 04:12:45 mail imapd-ssl[20815]: LOGIN FAILED, method=PLAIN, ip=[::ffff:177.19.165.26]
0 177.19.165.26 4 10
M
Nov 20 04:12:45 mail imapd-ssl[20815]: LOGIN FAILED, method=PLAIN, ip=[192.168.1.1]
*
M
Nov 20 04:12:45 mail imapd-ssl[20815]: LOGIN FAILED, method=PLAIN, ip=[2001:db8::a11:beef:7ac0]
*
M

#### FTP

#### Cockpit

#### OpenVPN
Sep 04 00:00:06 hostname openvpn[23718]: 54.183.149.10:34791 TLS Error: TLS handshake failed
400 54.183.149.10 4 10
M
Sep 04 00:00:06 hostname openvpn[23718]: [2001:db8::a11:beef:7ac0]:34791 TLS Error: TLS handshake failed
400 2001:db8::a11:beef:7ac0 6 10
M

#### Web

# Greedy SYSLOG_BANNER token (#93)

# macOS log format (#106)
2018-12-20 10:09:05.180218+0000 localhost sshd[67566]: Invalid user git from 185.52.1.9 port 35968
100 185.52.1.9 4 10
M

# OpenSSH 7 (#81)
Dec 29 16:48:56 xxx sshd[24924]: Did not receive identification string from 5.20.95.202 port 56452
100 5.20.95.202 4 10
M

# Gitea
Mar 07 08:34:31 myhost gitea[15884]: 2019/03/07 08:34:31 [I] Failed authentication attempt for blabla from [::1]
500 ::1 6 10
M
# Rsyslog 8 (#128)
# Busybox 'syslog -S' hides host names (#115)
May 9 11:11:17 sshd[30876]: Invalid user www from 139.59.34.17 port 51066
100 139.59.34.17 4 10
M

### jseymour additions for attack_parser_re tests
Mar  6 23:14:54 myhost auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=username rhost=109.237.103.13  user=username
210 109.237.103.13 4 10
M
Mar  6 15:42:42 myhost postfix/smtpd[29181]: warning: Connection rate limit exceeded: 6 from host-name.example.com[61.190.160.178] for service smtp
260 61.190.160.178 4 40
M
Mar  6 16:43:15 jimsun postfix/submission/smtpd[30936]: warning: Connection rate limit exceeded: 6 from unknown[109.237.103.41] for service submission
260 109.237.103.41 4 40
M
### end: jseymour additions
# 33 expressions - 2022-03-23
