I have rules like this on my servers:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]+\]:
[._[:alnum:]-]+ \([._[:alnum:]-]+\[[[:digit:].]{7,15}\]\) (- )USER
[-_.[:alnum:]]+: no such user found from [._[:alnum:]-]+
\[[[:digit:].]{7,15}\]\ to [[:digit:].]{7,15}:21$
basically, I just don't care about logins as nonexistent users,
I get so many of those that I don't even think about contacting
the netblock operators.
However, is it okay to filter messages of that sort in
ignore.d.server? I say yes, because there's also paranoid. But
I want a second opinion on this...
--
.''`. martin f. krafft <madduck at debian.org>
: :' : proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
"the good thing about standards is
that there are so many to choose from."
-- andrew s. tanenbaum
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature (GPG/PGP)
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060704/4879e30d/attachment.pgp
On Tue, Jul 04, 2006 at 11:50:07PM +0200, martin f krafft wrote:> I have rules like this on my servers: > > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]+\]: > [._[:alnum:]-]+ \([._[:alnum:]-]+\[[[:digit:].]{7,15}\]\) (- )USER > [-_.[:alnum:]]+: no such user found from [._[:alnum:]-]+ > \[[[:digit:].]{7,15}\]\ to [[:digit:].]{7,15}:21$ > > basically, I just don't care about logins as nonexistent users, > I get so many of those that I don't even think about contacting > the netblock operators. > > However, is it okay to filter messages of that sort in > ignore.d.server? I say yes, because there's also paranoid. But > I want a second opinion on this...I thought this was previously debated, though I can't locate the thread, so I may be making that up. Anyway, my opinion is that it's safe to ignore. An attempt to brute-force would log mis-authentication of real users anyway. -- Todd Troxell http://rapidpacket.com/~xtat
Maybe Matching Threads
- Bug#353962: integrate courier file in logcheck-database
- building the logcheck package from SVN
- Bug#554828: logcheck: Please include rules for amd (automount daemon from am-utils package)
- helping out on logcheck
- Bug#463793: rsyslogd restarts are not ignored