Bug#307585: [Logcheck-devel] Bug#307585: ssh: background noise rules
maximilian attems
debian at sternwelten.at
Wed May 4 10:55:32 UTC 2005
tags 307585 wontfix
stop
On Wed, 04 May 2005, Anand Kumria wrote:
> Package: logcheck
> Version: 1.2.39
> Severity: wishlist
>
> Hi,
>
> With more and more Internet background radiation, entries like the
> following:
>
> sshd[26955]: Illegal user patrick from ::ffff:64.227.232.25
> sshd[26862]: Failed password for illegal user rolo from ::ffff:64.227.232.25 port 3396 ssh2
> sshd[26869]: error: Could not get shadow information for NOUSER
>
> are fairly common. It would be good if these log messages were filtered
> out in the server install (there is another set of messages if the user
> actually exists).
well i'm surprised we didn't get a bug report earlier.
logcheck needs to trade between worthwile messages and not.
the fact that an dict attack to any box is going on is worthwile to
be reported.
one should consider restring acces to ssh to trusted ips either with
tcpwrappers or iptables. another possiblity would be to use the recent
module in iptables to reduce the nr. of new connection to the ssh port.
but i'll leave that open for discussion on logcheck-devel.
--
maks
More information about the Logcheck-devel
mailing list