martin f krafft
2006-Jul-03 05:46 UTC
[Logcheck-devel] Bug#376462: new ignore.d.server/ssh rules
Package: logcheck-database
Version: 1.2.44
Severity: wishlist
Tags: patch
Rationale: unless you're paranoid, you don't really care about
people banging your SSH port and trying random user names.
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid)
user [-[:alnum:]]+ from (::ffff:)?[.[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\)
check pass; user unknown$
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck at debian.org>
: :' : proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature (GPG/PGP)
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060703/b99b87a9/attachment.pgp
martin f krafft
2006-Jul-03 06:55 UTC
[Logcheck-devel] Bug#376462: new ignore.d.server/ssh rules
also sprach martin f krafft <madduck at debian.org> [2006.07.03.0746 +0200]:> Rationale: unless you're paranoid, you don't really care about > people banging your SSH port and trying random user names. > > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [-[:alnum:]]+ from (::ffff:)?[.[:digit:]]+$ > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$It then makes sense to add these to violations.ignore.d/ssh: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: User not known to the underlying authentication module for illegal user [[:alnum:]]+ from [_.[:alnum:]-]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [-_.[:alnum:]]+ from (::ffff:)?[.[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password) for i(llegal|nvalid) user [[:alnum:]]+ from (::ffff:)?[.[:digit:]]+ port [[:digit:]]{1,5} ssh2$ -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck at debian.org> : :' : proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature (GPG/PGP) Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060703/77be171d/attachment.pgp