Bug#307585: [Logcheck-devel] Bug#307585: ssh summaries for logcheck: a helper script
Todd Troxell
ttroxell at debian.org
Sat Dec 31 12:29:11 UTC 2005
On Fri, Dec 23, 2005 at 08:55:25PM +0200, Markus Peuhkuri wrote:
> As original submiter wrote, the ssh scan noise is a problem as important
> log entries may get hidden into hundreads of scan lines and workarounds
> (rate limits, port changes etc.) result just problems for legimite use.
>
> I wrote a small perl script that one can run instead of syslog-summary
> by defining two lines in logcheck.conf:
>
> SYSLOGSUMMARY=1
> SYSLOG_SUMMARY=/usr/sbin/log-summary-ssh
>
> This will print out (instead of 1000+ lines of ssh entries) lines like
> ones below:
>
> (normal logcheck output...)
> Dec 21 21:55:30 host getty[4302]: tty1: input overrun
>
> Invalid SSH login attempts: 1056
> 425 192.0.2.1
> 391 192.0.2.2
> 121 192.0.2.3
> 59 192.0.2.42
> 44 192.0.2.9
> 12 192.0.2.65
> 3 192.0.2.39
> 1 192.0.2.144
> User names tried:
> 0002593w (1), 127 (1), 16 (1), 1a4 (1), 1dd (1), 22b (1), 2a (1),
> 4ct (1), 511 (1), 561 (1), 587 (1), 72 (2), 75 (1), 9ia (1),
> Aaron (2), Aba (2), Abel (2), Account (1), Barrera (1), Castro (1),
> (cut...)
>
> Inverse mapping failures: 44
> 44 192.0.2.9 !=> www.example.com
Nice! I'll add this to the documentation directory.
--
Todd Troxell
http://rapidpacket.com/~xtat
More information about the Logcheck-devel
mailing list