[Logcheck-devel] no such user

Todd Troxell ttroxell at debian.org
Wed Jul 5 11:21:21 UTC 2006

On Tue, Jul 04, 2006 at 11:50:07PM +0200, martin f krafft wrote:
> I have rules like this on my servers:
>   ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]+\]:
>   [._[:alnum:]-]+ \([._[:alnum:]-]+\[[[:digit:].]{7,15}\]\) (- )USER
>   [-_.[:alnum:]]+: no such user found from [._[:alnum:]-]+
>   \[[[:digit:].]{7,15}\]\ to [[:digit:].]{7,15}:21$
> basically, I just don't care about logins as nonexistent users,
> I get so many of those that I don't even think about contacting
> the netblock operators.
> However, is it okay to filter messages of that sort in
> ignore.d.server? I say yes, because there's also paranoid. But
> I want a second opinion on this...

I thought this was previously debated, though I can't locate the thread, so I
may be making that up.

Anyway, my opinion is that it's safe to ignore.  An attempt to brute-force 
would log mis-authentication of real users anyway.

Todd Troxell

More information about the Logcheck-devel mailing list