[Logcheck-devel] Bug#307585: ssh summaries for logcheck: a helper script
Markus Peuhkuri
puhuri at iki.fi
Fri Dec 23 18:55:25 UTC 2005
As original submiter wrote, the ssh scan noise is a problem as important
log entries may get hidden into hundreads of scan lines and workarounds
(rate limits, port changes etc.) result just problems for legimite use.
I wrote a small perl script that one can run instead of syslog-summary
by defining two lines in logcheck.conf:
SYSLOGSUMMARY=1
SYSLOG_SUMMARY=/usr/sbin/log-summary-ssh
This will print out (instead of 1000+ lines of ssh entries) lines like
ones below:
(normal logcheck output...)
Dec 21 21:55:30 host getty[4302]: tty1: input overrun
Invalid SSH login attempts: 1056
425 192.0.2.1
391 192.0.2.2
121 192.0.2.3
59 192.0.2.42
44 192.0.2.9
12 192.0.2.65
3 192.0.2.39
1 192.0.2.144
User names tried:
0002593w (1), 127 (1), 16 (1), 1a4 (1), 1dd (1), 22b (1), 2a (1),
4ct (1), 511 (1), 561 (1), 587 (1), 72 (2), 75 (1), 9ia (1),
Aaron (2), Aba (2), Abel (2), Account (1), Barrera (1), Castro (1),
(cut...)
Inverse mapping failures: 44
44 192.0.2.9 !=> www.example.com
--
Markus Peuhkuri | http://www.iki.fi/puhuri/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log-summary-ssh
Url: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20051223/de17f12e/attachment.txt
More information about the Logcheck-devel
mailing list