From: Oleg Broytman <phd@phdru.name>
Date: Fri, 13 Feb 2026 17:12:02 +0000 (+0300)
Subject: Feat(logcheck): Update `local-ssh`
X-Git-Url: https://git.phdru.name/?a=commitdiff_plain;h=24f325e7db5bd35a04b98a9200ca5558ff6fe4bf;p=ansible.git

Feat(logcheck): Update `local-ssh`
---

diff --git a/playbooks/roles/logcheck/files/ignore.d/local-ssh b/playbooks/roles/logcheck/files/ignore.d/local-ssh
index e73b51b..ef9c989 100644
--- a/playbooks/roles/logcheck/files/ignore.d/local-ssh
+++ b/playbooks/roles/logcheck/files/ignore.d/local-ssh
@@ -6,6 +6,7 @@
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: Bad protocol version identification
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: Connection (closed|reset) by ((authenticating|invalid) user .+)?([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ \[preauth\]
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: Connection (closed|reset) by ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+
+^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: Connection reset by UNKNOWN port -1 \[preauth\]$
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: Corrupted MAC on input\. \[preauth\]$
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: Did not receive identification string from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: Disconnected from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+ \[preauth\]
@@ -23,7 +24,7 @@
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: Unable to negotiate with ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+: no matching (cipher|host key type|key exchange method) found\.
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: banner exchange: Connection from ([0-9]{1,3}\.){3}[0-9]{1,3} port [0-9]+: (Broken pipe|could not read protocol version|invalid format)
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: dispatch_protocol_error: type [0-9]+ seq [0-9]+ \[preauth\]
-^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: drop connection #[0-9]+ from \[(UNKNOWN|([0-9]{1,3}\.){3}[0-9]{1,3})\]:-?[0-9]+ on \[([0-9]{1,3}\.){3}[0-9]{1,3}\]:22 past MaxStartups
+^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: drop connection #[0-9]+ from \[(UNKNOWN|([0-9]{1,3}\.){3}[0-9]{1,3})\]:-?[0-9]+ on \[([0-9]{1,3}\.){3}[0-9]{1,3}\]:22 (past )?Max[Ss]tartups
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: drop connection .+ penalty: failed authentication$
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: error: Bad remote protocol version identification:
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: error: beginning MaxStartups throttling
@@ -50,5 +51,6 @@
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: pam_unix\(sshd:auth\): authentication failure
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: pam_unix\(sshd:auth\): bad username
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: pam_unix\(sshd:auth\): check pass; user unknown$
+^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: syslogin_perform_logout: logout\(\) returned an error$
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: userauth_pubkey: (key type|signature algorithm) ssh-(dss|rsa) not in PubkeyAccepted(Algorithm|KeyType)s \[preauth\]
 ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[ .:+0-9]+ [._[:alnum:]-]+ sshd(-session)?\[[0-9]+\]: warning: can't get client address: Connection reset by peer$