Bug#307585: [Logcheck-devel] Bug#307585: ssh: background noise rules
maximilian attems
debian at sternwelten.at
Sat Jul 2 09:27:22 UTC 2005
On Sat, 02 Jul 2005, Anand Kumria wrote:
> On Wed, May 04, 2005 at 12:55:32PM +0200, maximilian attems wrote:
<snipp>
> > well i'm surprised we didn't get a bug report earlier.
> >
> > logcheck needs to trade between worthwile messages and not.
> > the fact that an dict attack to any box is going on is worthwile to
> > be reported.
>
> It's useful to note a dictionary attack is in progress; however the fact
> that three messages are being logged by sshd for a non-existant user
> isn't as useful.
>
> Ask yourself this? Do either the second or third messages give you any
> more information than the first? Certainly I can't see any reason why
> I'd want them versus the first.
logcheck can't distinguish between 3x time the same message and
1000x the same message. (and yes there are already wishlist bugs
demanding the distinction).
so you'd either ignore a message or not, there is no other possibility
right now. and as todd confirmed we can't ignore that message.
> > one should consider restring acces to ssh to trusted ips either with
> > tcpwrappers or iptables. another possiblity would be to use the recent
> > module in iptables to reduce the nr. of new connection to the ssh port.
>
> Hmm, higher levels of complexity versus three extra regex rules.
>
> I know what I'll be doing on machines I administer.
well in case you add those 3 regex rules you'll bury your head into sand.
ssh has security risks. beside dict attacks it already head exploitable
flaws. iirc there is a matrix scene about that.
so one better thinks about whom you open your host.
--
maks
More information about the Logcheck-devel
mailing list