[Logcheck-devel] no such user
martin f krafft
madduck at debian.org
Wed Jul 5 21:29:20 UTC 2006
also sprach maximilian attems <maks at sternwelten.at> [2006.07.05.2319 +0200]:
> server restarts,
I think we can filter out some messages here, but the fact that
configuration was reloaded or a server was stopped/started/restarted
*must* be mailed. But it should be 1-2 lines so that no other log
lines are swallowed by e.g. the amavisd-new restart flood.
> unsucessfull login attempts,
for existing users, those should be mailed. For non-existing users,
who cares?
Really, everyone gets scanned all the time, and if a user does not
exist, nothing can happen. Knowing about a scan won't do much to
you, especially if you just got a 50K logcheck mail. If you do want
to complain to the netblock admin, go paranoid, or install
portsentry or some tool that is made to detect scans.
> anomalies??
Yes.
> empty mails might give the users a sense of security although the
> host has been breached. anyway logcheck is not a realtime monitor.
> happy to hear your thought so that we can better focus on what
> logcheck should do.
anomalies pretty much sums it up. Scans are not anomalies anymore.
--
.''`. martin f. krafft <madduck at debian.org>
: :' : proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
if voting could really change things, it would be illegal.
-- revolution books, new york
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature (GPG/PGP)
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060705/4afcbf26/attachment.pgp
More information about the Logcheck-devel
mailing list