[Logcheck-devel] no such user

martin f krafft madduck at debian.org
Wed Jul 5 21:29:20 UTC 2006

also sprach maximilian attems <maks at sternwelten.at> [2006.07.05.2319 +0200]:
> server restarts,

I think we can filter out some messages here, but the fact that
configuration was reloaded or a server was stopped/started/restarted
*must* be mailed. But it should be 1-2 lines so that no other log
lines are swallowed by e.g. the amavisd-new restart flood.

> unsucessfull login attempts,

for existing users, those should be mailed. For non-existing users,
who cares?

Really, everyone gets scanned all the time, and if a user does not
exist, nothing can happen. Knowing about a scan won't do much to
you, especially if you just got a 50K logcheck mail. If you do want
to complain to the netblock admin, go paranoid, or install
portsentry or some tool that is made to detect scans.

> anomalies??


> empty mails might give the users a sense of security although the
> host has been breached. anyway logcheck is not a realtime monitor.
> happy to hear your thought so that we can better focus on what
> logcheck should do.

anomalies pretty much sums it up. Scans are not anomalies anymore.

 .''`.     martin f. krafft <madduck at debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
if voting could really change things, it would be illegal.
                                         -- revolution books, new york
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature (GPG/PGP)
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060705/4afcbf26/attachment.pgp 

More information about the Logcheck-devel mailing list