sshd execs on new connection rather than fork - centos7

I am facing strange issue with sshd on centos 7. I start /sbin/sshd -ddd -D on one terminal of my server. Lets say its PID is $sshdpid
* connect from another m/c
On successful connection, I see that $sshdpid instead of showing /sbin/sshd -ddd -D shows sshd: root#pts/0
And now what happens is that when the client interactive session completes (exits). The $sshdpid remains no more in the server. It implies sshd server is not running. I see following logs:
on stdout:
Received disconnect from 10.10.73.40 port 36348:11: disconnected by user
Disconnected from 10.10.73.40 port 36348
debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: closing session
debug1: PAM: deleting credentials
debug3: PAM: sshpam_thread_cleanup entering
[1]+ Exit 255 /sbin/sshd -ddd -D
I see following logs in /var/logs/messages in server.
Jun 3 11:23:57 master sshd: Received disconnect from 10.10.73.40 port 60586:11: disconnected by user
Jun 3 11:23:57 master sshd: Disconnected from 10.10.73.40 port 60586
Jun 3 11:23:57 master sshd: debug1: do_cleanup
Jun 3 11:23:57 master sshd: debug1: PAM: cleanup
Jun 3 11:23:57 master sshd: debug1: PAM: closing session
Jun 3 11:23:57 master sshd: debug1: PAM: deleting credentials
Jun 3 11:23:57 master sshd: debug3: PAM: sshpam_thread_cleanup entering
Jun 3 11:23:57 master systemd: Unit sshd.service entered failed state.
Jun 3 11:23:57 master systemd: sshd.service failed.
Jun 3 11:23:57 master systemd-logind: Removed session 13.
Jun 3 11:24:39 master systemd: sshd.service holdoff time over, scheduling restart.
Jun 3 11:24:39 master systemd: Starting OpenSSH server daemon...
I am sshing from client as root login
Please help. I am unable to debug this issue. :(

Related

Google Cloud VM SSH No supported authentication methods available

I have a Google cloud VM instance with Debian OS. I have hosted Wordpress sites. After upgrading OS version all was working fine and I was able to connect via SSH using 'Open SSH in browser' option.
Now I try to connect my VM instance using 'Open SSH in browser' it just keep retrying. I checked the serial console output but there is no error message. Please refer below
However, I am able to connect via FTP using same key but when I try to connect via SSH at that time facing the issue. I checked for port 22 for that instance and project and it's open
Below is the Last few lines of serial console log after I restarted the VM,
Dec 6 09:01:20 localhost sendmail[383]: Starting Mail Transport Agent (MTA): sendmail.
Dec 6 09:01:20 localhost systemd[1]: Started LSB: powerful, efficient, and scalable Mail Transport Agent.
Dec 6 09:01:21 localhost systemd[1]: Started MariaDB 10.3.31 database server.
Dec 6 09:01:21 localhost systemd[1]: Reached target Multi-User System.
Dec 6 09:01:21 localhost systemd[1]: Reached target Graphical InterfacDec 6 09:01:21 localhost systemd[1]: Startup finished in 4.063s (kernel) + 9.852s (userspace) = 13.915s.
Dec 6 09:01:21 localhost /etc/mysql/debian-start[567]: Upgrading MySQL tables if necessary.
Dec 6 09:01:21 localhost /etc/mysql/debian-start[570]: /usr/bin/mysql_upgrade: the '--basedir' option is always ignored
Dec 6 09:01:21 localhost /etc/mysql/debian-start[570]: Looking for 'mysql' as: /usr/bin/mysql
Dec 6 09:01:21 localhost /etc/mysql/debian-start[570]: Looking for 'mysqlcheck' as: /usr/bin/mysqlcheck
Dec 6 09:01:21 localhost /etc/mysql/debian-start[570]: Version check failed. Got the following error when calling the 'mysql' command line client
Dec 6 09:01:21 localhost /etc/mysql/debian-start[570]: ERROR 1045 (28000): Access denied for user 'root'#'localhost' (using password: NO)
Dec 6 09:01:21 localhost /etc/mysql/debian-start[570]: FATAL ERROR: Upgrade failed
Dec 6 09:01:21 localhost /etc/mysql/debian-start[580]: Checking for insecure root accounts.
Dec 6 09:01:21 localhost debian-start[564]: ERROR 1045 (28000): Access denied for user 'root'#'localhost' (using password: NO)
Debian GNU/Linux 10 localhost ttyS0
localhost login: Dec 6 09:01:28 localhost systemd[1]: Stopping User Manager for UID 110...
Dec 6 09:01:28 localhost systemd[497]: Stopped target Default.
Dec 6 09:01:28 localhost systemd[497]: Stopped target Basic System.
Dec 6 09:01:28 localhost systemd[497]: Stopped target Timers.
Dec 6 09:01:28 localhost systemd[497]: Stopped target Paths.
Dec 6 09:01:28 localhost systemd[497]: Stopped target Sockets.
Dec 6 09:01:28 localhost systemd[497]: gpg-agent-browser.socket: Succeeded.
Dec 6 09:01:28 localhost systemd[497]: Closed GnuPG cryptographic agent and passphrase cache (access for web browsers).
Dec 6 09:01:28 localhost systemd[497]: dirmngr.socket: Succeeded.
Dec 6 09:01:28 localhost systemd[497]: Closed GnuPG network certificate management daemon.
Dec 6 09:01:28 localhost systemd[497]: gpg-agent-ssh.socket: Succeeded.
Dec 6 09:01:28 localhost systemd[497]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Dec 6 09:01:28 localhost systemd[497]: gpg-agent.socket: Succeeded.
Dec 6 09:01:28 localhost systemd[497]: Closed GnuPG cryptographic agent and passphrase cache.
Dec 6 09:01:28 localhost systemd[497]: gpg-agent-extra.socket: Succeeded.
Dec 6 09:01:28 localhost systemd[497]: Closed GnuPG cryptographic agent and passphrase cache (restricted).
Dec 6 09:01:28 localhost systemd[497]: Reached target Shutdown.
Dec 6 09:01:28 localhost systemd[497]: systemd-exit.service: Succeeded.
Dec 6 09:01:28 localhost systemd[497]: Started Exit the Session.
Dec 6 09:01:28 localhost systemd[497]: Reached target Exit the Session.
Dec 6 09:01:28 localhost systemd[1]: user#110.service: Succeeded.
Dec 6 09:01:28 localhost systemd[1]: Stopped User Manager for UID 110.
Dec 6 09:01:28 localhost systemd[1]: Stopping User Runtime Directory /run/user/110...
Dec 6 09:01:28 localhost systemd[1]: run-user-110.mount: Succeeded.
Dec 6 09:01:28 localhost systemd[1]: user-runtime-dir#110.service: Succeeded.
Dec 6 09:01:28 localhost systemd[1]: Stopped User Runtime Directory /run/user/110.
Dec 6 09:01:28 localhost systemd[1]: Removed slice User Slice of UID 110.
Tried following solutions which I get from google search
Solution 1 : Using PuTTYGen & Putty
Generated key using PuttyGen and put the public key under meta data as well tried adding under instance. I have set enable-oslogin to FALSE.
But got the following error message.
Solution 2 : Using serial ports
When I tried to connect using diff serial ports it just stack at connection screen and I checked the console log for that serial port but it's blank.
Solution 3 : New Instance with disk image
Created image of current disk and then created new instance with that image. When I try to connect to that new instance then I am facing same issue.
Solution 4 : Use diff machine to setup CLI
I setup fresh Google Cloud CLI into a new machine and tried to connect but no success. Same error I faced.
Solution 5 : Increase Disk Space
Increased the disk space from 20GB to 35GB, but didn't work. Usually if there is disk space error the we get it into serial console log. But in my case there is no error message in serial console log.
Please help and let me know if any additional information is required.
Thanks

How to free up port 22 on Google Compute Engine

In Google Compute Engine, I would like to use port 22 for SFTP although I cannot since the VM says that there is sshd running on this port. Is there any way I can change the port sshd uses to a different one so I can free up 22?
I tried to look at: How to change sshd port on google cloud instance?, but it did not help and the port for sshd was still 22 after I executed:
sudo netstat -pna | grep 22
The output is:
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 53151/sshd
tcp6 0 0 :::22 :::* LISTEN 53151/sshd
Thank you for your time!

You can change the SSH port 22 as per below steps:
Log on to the server as an root user
Open the SSH configuration file sshd_config with the text editor vi: vi /etc/ssh/sshd_config.
Search for the entry Port 22.
Replace port 22 with a port between 1024 and 65536.
semanage port -a -t ssh_port_t -p tcp New-SSH-Port
semanage port -l | grep ssh
ssh_port_t tcp 2222, 22
systemctl restart sshd
netstat -pna | grep 2222
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 1525/sshd
tcp 0 0 10.128.0.33:2222 35.235.241.19:63372 ESTABLISHED 1413/sshd: mdmahboo
tcp6 0 0 :::2222 :::* LISTEN 1525/sshd
systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-02-21 02:46:55 UTC; 46s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1525 (sshd)
CGroup: /system.slice/sshd.service
└─1525 /usr/sbin/sshd -D
Feb 21 02:46:55 cenos-1 systemd[1]: Stopped OpenSSH server daemon.
Feb 21 02:46:55 cenos-1 systemd[1]: Starting OpenSSH server daemon...
Feb 21 02:46:55 cenos-1 sshd[1525]: Server listening on 0.0.0.0 port 2222.
Feb 21 02:46:55 cenos-1 sshd[1525]: Server listening on :: port 2222.
Feb 21 02:46:55 cenos-1 systemd[1]: Started OpenSSH server daemon.
Add firewall entry for port 2222 in GCP firewall
Now, you will be able to login to the VM using your custom port number after allowing the port as ingress in firewall rule.

Redis wont start: Could not create server TCP listening socket 127.0.0.1:6379: bind: Address already in use

I have installed redis in my AWS server. I have followed this: https://www.digitalocean.com/community/tutorials/how-to-install-secure-redis-centos-7
$ systemctl start redis.service
$ systemctl enable redis
-> Created symlink /etc/systemd/system/multi-user.target.wants/redis.service → /usr/lib/systemd/system/redis.service.
$ systemctl status redis.service
● redis.service - Redis persistent key-value database
Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/redis.service.d
└─limit.conf
Active: failed (Result: exit-code) since Wed 2020-08-26 02:28:25 UTC; 10s ago
Main PID: 5012 (code=exited, status=1/FAILURE)
Aug 26 02:28:25 ip-xxx-xx-xx-xx.ap-southeast-2.compute.internal systemd[1]: Starting Redis persistent key-value database...
Aug 26 02:28:25 ip-xxx-xx-xx-xx.ap-southeast-2.compute.internal systemd[1]: Started Redis persistent key-value database.
Aug 26 02:28:25 ip-xxx-xx-xx-xx.ap-southeast-2.compute.internal systemd[1]: redis.service: Main process exited, code=exited, status=1/FAILURE
Aug 26 02:28:25 ip-xxx-xx-xx-xx.ap-southeast-2.compute.internal systemd[1]: redis.service: Failed with result 'exit-code'.
And when I check the /var/log/redis/redis.log this is what I see:
5012:C 26 Aug 2020 02:28:25.574 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
5012:C 26 Aug 2020 02:28:25.574 # Redis version=5.0.3, bits=64, commit=00000000, modified=0, pid=5012, just started
5012:C 26 Aug 2020 02:28:25.574 # Configuration loaded
5012:C 26 Aug 2020 02:28:25.574 * supervised by systemd, will signal readiness
5012:M 26 Aug 2020 02:28:25.575 # Could not create server TCP listening socket 127.0.0.1:6379: bind: Address already in use
And upon checking the ports:
$ netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN 2812/redis-server *
tcp6 0 0 :::6379 :::* LISTEN 2812/redis-server *
This is showing the port 6379 is actually being used by redis-server.
So why cannot it start then?
Do I need to add any inbound/outbound rules in AWS? Please help.
UPDATE
ExecStart=/usr/bin/redis-server /etc/redis.conf --supervised systemd command on terminal returns bash: /etc/redis.conf: Permission denied. Looks like need to give right permission to /etc/redis.conf file.
$ ls -l /etc/redis.conf
-rw-r-----. 1 redis redis 62189 Aug 26 03:04 /etc/redis.conf
So what permission do I need to give here? Who should own this file?

CentOS 7 - Payara 5 fails to run on Port 80

I installed Paraya 5(.193) on CentOS 7 server and the installation is a success. Since I aim to host a JEE website on it, I changed the default http port (of Payara) from 8080 to 80 (after disabling apache web server in order to keep the port 80 free). However, when I rerun Payara (with Port 80 as a default one), I get the following error -
-- Unit payara.service has failed.
--
-- The result is failed.
Nov 20 14:39:42 server1.gdfnow.org systemd[1]: Unit payara.service entered failed state.
Nov 20 14:39:42 server1.gdfnow.org systemd[1]: payara.service failed.
Nov 20 14:39:42 server1.gdfnow.org polkitd[541]: Unregistered Authentication Agent for unix-process:16831:1426530 (system bus name :1.137, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) (disc
Nov 20 14:39:44 server1.gdfnow.org unix_chkpwd[16992]: password check failed for user (root)
Nov 20 14:39:44 server1.gdfnow.org sshd[16990]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.88.201.58 user=root
Nov 20 14:39:44 server1.gdfnow.org sshd[16990]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Nov 20 14:39:46 server1.gdfnow.org sshd[16990]: Failed password for root from 115.88.201.58 port 51698 ssh2
Nov 20 14:39:46 server1.gdfnow.org sshd[16990]: Received disconnect from 115.88.201.58 port 51698:11: Bye Bye [preauth]
Nov 20 14:39:46 server1.gdfnow.org sshd[16990]: Disconnected from 115.88.201.58 port 51698 [preauth]
lines 1101-1128/1128 (END)
Any insight into this would be greatly appreciated.
PS - In the error log, I have no clue what this IP Address of 115.88.201.58. It is certainly not a Public IP of my client computer.
Thanks

Regex to match multiple different lines

I have the following file below and I would like to have a some regex expressions that could parse the file and give me an output like
139.162.78.135:41448 TLS Error: TLS handshake failed
139.162.78.135:41448 Connection reset, restarting
TLS Error: incoming packet authentication failed from [AF_INET]139.162.78.135:41448
139.162.78.135:41448 Fatal TLS Error
139.162.78.135:41448 VERIFY ERROR
139.162.78.135:41448 Bad encapsulated packet length
Note: this is for a program called fail2ban so that I can easily ban these ips that are trying to intrude my server.
I tried to parse the connection reset line like this \d+\.\d+\.\d+\.\d+:\d+ Connection reset, restarting But I don't know how to form another expression that can match the rest in one go.
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41448 Connection reset, restarting [0]
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41448 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]139.162.78.135:41828
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41828 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41828 Connection reset, restarting [0]
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41828 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 04:52:47 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]67.52.172.103:2577
Jun 19 04:52:47 Server ovpn-openvpn_tcp[856]: 67.52.172.103:2577 Connection reset, restarting [0]
Jun 19 04:52:47 Server ovpn-openvpn_tcp[856]: 67.52.172.103:2577 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 04:52:48 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]67.52.172.103:63975
Jun 19 04:52:48 Server ovpn-openvpn_tcp[856]: 67.52.172.103:63975 Connection reset, restarting [-1]
Jun 19 04:52:48 Server ovpn-openvpn_tcp[856]: 67.52.172.103:63975 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 04:56:52 Server ovpn-openvpn_udp[811]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.55:55292
Jun 19 09:17:44 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]154.16.133.10:13456
Jun 19 09:17:44 Server ovpn-openvpn_tcp[856]: 154.16.133.10:13456 Connection reset, restarting [-1]
Jun 19 09:17:44 Server ovpn-openvpn_tcp[856]: 154.16.133.10:13456 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 09:17:44 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]154.16.133.10:13769
Jun 19 09:17:59 Server ovpn-openvpn_tcp[856]: 154.16.133.10:13769 Connection reset, restarting [-1]
Jun 19 09:17:59 Server ovpn-openvpn_tcp[856]: 154.16.133.10:13769 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 09:19:25 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]184.105.139.70:50240
Jun 19 09:19:26 Server ovpn-openvpn_tcp[856]: 184.105.139.70:50240 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 19 09:19:26 Server ovpn-openvpn_tcp[856]: 184.105.139.70:50240 Connection reset, restarting [0]
Jun 19 09:19:26 Server ovpn-openvpn_tcp[856]: 184.105.139.70:50240 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 14:11:58 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]223.146.71.5:59970
Jun 19 14:11:58 Server ovpn-openvpn_tcp[856]: 223.146.71.5:59970 Connection reset, restarting [0]
Jun 19 14:11:58 Server ovpn-openvpn_tcp[856]: 223.146.71.5:59970 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 14:11:59 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]223.146.71.5:60145
Jun 19 14:11:59 Server ovpn-openvpn_tcp[856]: 223.146.71.5:60145 WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 19 14:11:59 Server ovpn-openvpn_tcp[856]: 223.146.71.5:60145 Connection reset, restarting [0]
Jun 19 14:11:59 Server ovpn-openvpn_tcp[856]: 223.146.71.5:60145 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 14:25:16 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]112.113.195.89:3079
Jun 19 14:26:16 Server ovpn-openvpn_tcp[856]: 112.113.195.89:3079 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 19 14:26:16 Server ovpn-openvpn_tcp[856]: 112.113.195.89:3079 TLS Error: TLS handshake failed
Jun 19 14:26:16 Server ovpn-openvpn_tcp[856]: 112.113.195.89:3079 Fatal TLS error (check_tls_errors_co), restarting
Jun 19 14:26:17 Server ovpn-openvpn_tcp[856]: 112.113.195.89:3079 SIGUSR1[soft,tls-error] received, client-instance restarting
Jun 19 16:27:19 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]213.202.230.144:2616
Jun 19 16:28:19 Server ovpn-openvpn_tcp[856]: 213.202.230.144:2616 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 19 16:28:19 Server ovpn-openvpn_tcp[856]: 213.202.230.144:2616 TLS Error: TLS handshake failed
Jun 19 16:28:19 Server ovpn-openvpn_tcp[856]: 213.202.230.144:2616 Fatal TLS error (check_tls_errors_co), restarting
Jun 19 16:28:19 Server ovpn-openvpn_tcp[856]: 213.202.230.144:2616 SIGUSR1[soft,tls-error] received, client-instance restarting
Jun 19 16:59:10 Server ovpn-openvpn_udp[811]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.41:40431
Jun 19 19:00:17 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]178.73.215.171:23509
Jun 19 19:00:17 Server ovpn-openvpn_tcp[856]: 178.73.215.171:23509 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 19 19:00:17 Server ovpn-openvpn_tcp[856]: 178.73.215.171:23509 Connection reset, restarting [0]
Jun 19 19:00:17 Server ovpn-openvpn_tcp[856]: 178.73.215.171:23509 SIGUSR1[soft,connection-reset] received, client-instance restarting

Use | to separate different options that you would like to capture. Since most of the options start with IP address, you could share your IP-matching regex among all of them.
Here is a regex with some "formatting" for easier understanding of what is going on; remove unnecessary spaces and end-of-line markers in the real regex:
\d+\.\d+\.\d+\.\d+:\d+
(?:
Connection reset, restarting
| TLS Error: TLS handshake failed
| Fatal TLS Error
| VERIFY ERROR
| Bad encapsulated packet length
)
| TLS Error: incoming packet authentication failed from [AF_INET]\d+\.\d+\.\d+\.\d+:\d+
Demo.

I think this problem may be divided into 2 parts:
What regex is used to represent the patterns, and
How to capture the IP address the OP is interested in.
Represent the patterns with the "or" and "group" operators
I think the multiple possibilities that follow the IP address may be handled by using the | operator and the ( ) grouping operator:
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5} (Connection reset|TLS Error|Fatal TLS Error|VERIFY ERROR|Bad encapsulated packet length)
The more complicated case is the last possibility that the IP address appears the last, such as in the message
Jun 19 16:59:10 Server ovpn-openvpn_udp[811]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.41:40431
I think a quick and dirty solution might be to wrap this case with a pair of ()and the other cases with another pair of () and then | them together:
((TLS Error.+\[AF_INET\])(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}))|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5} (Connection reset|TLS Error|Fatal TLS Error|VERIFY ERROR|Bad encapsulated packet length))
With this regex, a user will be able to obtain the lines that contain the interesting patterns. This pattern includes both the IP address and the error info, and now with 1 further step, the user can extract the parts of interest (in this case, IP address and port number) ---
Return only the matched parts
To tell a regex that some part is not part of the match result (and are used only as delimiters, for example), you can declare them as "lookaheads" ( (?=blah blah) ). The following shows how a one-liner with grep extracts the intruders:
$ grep -P "((?=TLS Error.+\[AF_INET\])(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}))|((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}) (?=Connection reset|TLS Error|Fatal TLS Error|VERIFY ERROR|Bad encapsulated packet length))" -o temp.txt
67.52.172.103:63975
154.16.133.10:13456
154.16.133.10:13769
184.105.139.70:50240
223.146.71.5:59970
223.146.71.5:60145
112.113.195.89:3079
112.113.195.89:3079
213.202.230.144:2616
213.202.230.144:2616
178.73.215.171:23509
The -o tells grep to return only the matched parts; -P tells grep to use PCRE regex rather than POSIX regex.
Hope this may be useful!