[Logcheck-devel] no such user
Todd Troxell
ttroxell at debian.org
Wed Jul 5 11:21:21 UTC 2006
On Tue, Jul 04, 2006 at 11:50:07PM +0200, martin f krafft wrote:
> I have rules like this on my servers:
>
> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]+\]:
> [._[:alnum:]-]+ \([._[:alnum:]-]+\[[[:digit:].]{7,15}\]\) (- )USER
> [-_.[:alnum:]]+: no such user found from [._[:alnum:]-]+
> \[[[:digit:].]{7,15}\]\ to [[:digit:].]{7,15}:21$
>
> basically, I just don't care about logins as nonexistent users,
> I get so many of those that I don't even think about contacting
> the netblock operators.
>
> However, is it okay to filter messages of that sort in
> ignore.d.server? I say yes, because there's also paranoid. But
> I want a second opinion on this...
I thought this was previously debated, though I can't locate the thread, so I
may be making that up.
Anyway, my opinion is that it's safe to ignore. An attempt to brute-force
would log mis-authentication of real users anyway.
--
Todd Troxell
http://rapidpacket.com/~xtat
More information about the Logcheck-devel
mailing list