Bug#307585: [Logcheck-devel] Bug#307585: ssh: background noise rules
Todd Troxell
ttroxell at debian.org
Thu May 5 06:39:49 UTC 2005
On Wed, May 04, 2005 at 12:55:32PM +0200, maximilian attems wrote:
> tags 307585 wontfix
> stop
>
> On Wed, 04 May 2005, Anand Kumria wrote:
>
> > Package: logcheck
> > Version: 1.2.39
> > Severity: wishlist
> >
> > Hi,
> >
> > With more and more Internet background radiation, entries like the
> > following:
> >
> > sshd[26955]: Illegal user patrick from ::ffff:64.227.232.25
> > sshd[26862]: Failed password for illegal user rolo from ::ffff:64.227.232.25 port 3396 ssh2
> > sshd[26869]: error: Could not get shadow information for NOUSER
> >
> > are fairly common. It would be good if these log messages were filtered
> > out in the server install (there is another set of messages if the user
> > actually exists).
>
> well i'm surprised we didn't get a bug report earlier.
>
> logcheck needs to trade between worthwile messages and not.
> the fact that an dict attack to any box is going on is worthwile to
> be reported.
>
> one should consider restring acces to ssh to trusted ips either with
> tcpwrappers or iptables. another possiblity would be to use the recent
> module in iptables to reduce the nr. of new connection to the ssh port.
>
> but i'll leave that open for discussion on logcheck-devel.
Yeah, sorry. We really do want to report these scans. We can't
differentiate between a stupid worm and a smart delayed dictionary scan.
See http://blog.andrew.net.au/2005/02/17 for some mitigation techniques.
--
[ Todd J. Troxell ,''`.
Student, Debian GNU/Linux Developer, SysAdmin, Geek : :' :
http://debian.org || http://rapidpacket.com/~xtat `. `'
`- ]
More information about the Logcheck-devel
mailing list