Bug#307585: [Logcheck-devel] Bug#307585: ssh: background noise rules
Anand Kumria
wildfire at progsoc.org
Fri Jul 1 23:40:22 UTC 2005
On Thu, May 05, 2005 at 02:39:49AM -0400, Todd Troxell wrote:
> On Wed, May 04, 2005 at 12:55:32PM +0200, maximilian attems wrote:
> > On Wed, 04 May 2005, Anand Kumria wrote:
> >
> > > Package: logcheck
> > > Version: 1.2.39
> > > Severity: wishlist
> > >
> > > sshd[26955]: Illegal user patrick from ::ffff:64.227.232.25
> > > sshd[26862]: Failed password for illegal user rolo from ::ffff:64.227.232.25 port 3396 ssh2
> > > sshd[26869]: error: Could not get shadow information for NOUSER
> > >
> > > are fairly common. It would be good if these log messages were filtered
> > > out in the server install (there is another set of messages if the user
> > > actually exists).
> >
> > logcheck needs to trade between worthwile messages and not.
And somehow you both believe that all three message are worthwhile? What
iformation do either the second or third message give you?
> > but i'll leave that open for discussion on logcheck-devel.
>
> Yeah, sorry. We really do want to report these scans. We can't
> differentiate between a stupid worm and a smart delayed dictionary scan.
>
> See http://blog.andrew.net.au/2005/02/17 for some mitigation techniques.
Hmm, extra complexity versus extra regexs.
No thanks.
Cheers,
Anand
--
`When any government, or any church for that matter, undertakes to say to
its subjects, "This you may not read, this you must not see, this you are
forbidden to know," the end result is tyranny and oppression no matter how
holy the motives' -- Robert A Heinlein, "If this goes on --"
More information about the Logcheck-devel
mailing list