[Logcheck-devel] cracking.ignore.d
martin f krafft
madduck at madduck.net
Fri Aug 31 10:45:56 UTC 2007
Hi folks,
while logcheck's README.logcheck-database says that
cracking.ignore.d is not enabled by default, only README.Maintainer
says that packages should not install files there.
However, all mail servers I administer keep spitting stuff like this
*all* *the* time:
Security Alerts
=-=-=-=-=-=-=-=
Aug 31 05:31:00 clegg postfix/smtpd[21557]: NOQUEUE: reject: RCPT
from unknown[203.154.151.45]: 554 5.7.1 Service unavailable; Client
host [203.154.151.45] blocked using list.dsbl.org;
http://dsbl.org/listing?203.154.151.45;
from=<ifpcounterattack at email-click-cash.net>
to=<jet at sccs.swarthmore.edu> proto=SMTP helo=<BSL4-001.globlex.com>
I don't care, and I think the entire cracking.d layer is a joke.
Logcheck is not an IDS and it cannot detect ongoing attacks.
So instead of maintaining local rules for all systems I administer,
I decided to leverage my role as logcheck maintainer and do
something about it.
And I see two solutions:
1. disable the cracking.d layer
2. duplicate countless postfix rules into cracking.ignore.d and
install files there with logcheck-database
To be honest, I am much in favour of (1) and shall release logcheck
1.3 in the near future with cracking.d disabled, unless I hear some
valid objections.
Cheers,
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck
"being shot is not as bad as i always thought it might be.
as long as you can keep the fear from your mind."
-- special agent dale cooper
spamtraps: madduck.bogus at madduck.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/)
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20070831/f0154cbc/attachment.pgp
More information about the Logcheck-devel
mailing list