Bug#307585: [Logcheck-devel] Bug#307585: ssh: background noise rules

Anand Kumria wildfire at progsoc.org
Fri Jul 1 23:38:17 UTC 2005 

On Wed, May 04, 2005 at 12:55:32PM +0200, maximilian attems wrote:
> tags 307585 wontfix
> stop
> 
> On Wed, 04 May 2005, Anand Kumria wrote:
> 
> > Package: logcheck
> > Version: 1.2.39
> > Severity: wishlist
> > 
> > Hi,
> > 
> > With more and more Internet background radiation, entries like the
> > following:
> > 
> > sshd[26955]: Illegal user patrick from ::ffff:64.227.232.25
> > sshd[26862]: Failed password for illegal user rolo from ::ffff:64.227.232.25 port 3396 ssh2
> > sshd[26869]: error: Could not get shadow information for NOUSER
> > 
> > are fairly common.  It would be good if these log messages were filtered
> > out in the server install (there is another set of messages if the user
> > actually exists).
> 
> well i'm surprised we didn't get a bug report earlier.
> 
> logcheck needs to trade between worthwile messages and not.
> the fact that an dict attack to any box is going on is worthwile to
> be reported.

It's useful to note a dictionary attack is in progress; however the fact
that three messages are being logged by sshd for a non-existant user
isn't as useful.

Ask yourself this? Do either the second or third messages give you any
more information than the first? Certainly I can't see any reason why
I'd want them versus the first.

> one should consider restring acces to ssh to trusted ips either with
> tcpwrappers or iptables. another possiblity would be to use the recent
> module in iptables to reduce the nr. of new connection to the ssh port.

Hmm, higher levels of complexity versus three extra regex rules.

I know what I'll be doing on machines I administer. 

> but i'll leave that open for discussion on logcheck-devel.

"Our priorities are our users and free software"
	-- http://www.debian.org/social_contract

Thanks,
Anand

-- 
 `When any government, or any church for that matter, undertakes to say to
  its subjects, "This you may not read, this you must not see, this you are
  forbidden to know," the end result is tyranny and oppression no matter how
  holy the motives' -- Robert A Heinlein, "If this goes on --"

More information about the Logcheck-devel mailing list