Logcheck devel - May 2005 - Bug#307585: ssh: background noise rules

Package: logcheck
Version: 1.2.39
Severity: wishlist

Hi,

With more and more Internet background radiation, entries like the
following:

sshd[26955]: Illegal user patrick from ::ffff:64.227.232.25
sshd[26862]: Failed password for illegal user rolo from ::ffff:64.227.232.25
port 3396 ssh2
sshd[26869]: error: Could not get shadow information for NOUSER

are fairly common.  It would be good if these log messages were filtered
out in the server install (there is another set of messages if the user
actually exists).

Thanks,
Anand

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.5-suspend
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)

Versions of packages logcheck depends on:
ii  adduser          3.63                    Add and remove users and groups
ii  cron             3.0pl1-86               management of regular background p
ii  debconf [debconf 1.4.30.13               Debian configuration management sy
ii  debianutils      2.8.4                   Miscellaneous utilities specific t
ii  exim4            4.50-4                  metapackage to ease exim MTA (v4) 
ii  exim4-daemon-lig 4.50-4                  lightweight exim MTA (v4) daemon
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logcheck-databas 1.2.39                  A database of system log rules for
ii  logtail          1.2.39                  Print log file lines that have not
ii  mailx            1:8.1.2-0.20040524cvs-4 A simple mail user agent
ii  sysklogd [system 1.4.1-16                System Logging Daemon

-- debconf information:
  logcheck/changes:
* logcheck/install-note:

tags 307585 wontfix
stop

On Wed, 04 May 2005, Anand Kumria wrote:
> Package: logcheck
> Version: 1.2.39
> Severity: wishlist
> 
> Hi,
> 
> With more and more Internet background radiation, entries like the
> following:
> 
> sshd[26955]: Illegal user patrick from ::ffff:64.227.232.25
> sshd[26862]: Failed password for illegal user rolo from
::ffff:64.227.232.25 port 3396 ssh2
> sshd[26869]: error: Could not get shadow information for NOUSER
> 
> are fairly common.  It would be good if these log messages were filtered
> out in the server install (there is another set of messages if the user
> actually exists).
well i'm surprised we didn't get a bug report earlier.

logcheck needs to trade between worthwile messages and not.
the fact that an dict attack to any box is going on is worthwile to
be reported.

one should consider restring acces to ssh to trusted ips either with
tcpwrappers or iptables. another possiblity would be to use the recent
module in iptables to reduce the nr. of new connection to the ssh port.

but i'll leave that open for discussion on logcheck-devel.

--
maks

Processing commands for control at bugs.debian.org:
> tags 307585 wontfix
Bug#307585: ssh: background noise rules
There were no tags set.
Tags added: wontfix
> stop
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)