Markus Peuhkuri
2005-Dec-23 18:55 UTC
[Logcheck-devel] Bug#307585: ssh summaries for logcheck: a helper script
As original submiter wrote, the ssh scan noise is a problem as important log entries may get hidden into hundreads of scan lines and workarounds (rate limits, port changes etc.) result just problems for legimite use. I wrote a small perl script that one can run instead of syslog-summary by defining two lines in logcheck.conf: SYSLOGSUMMARY=1 SYSLOG_SUMMARY=/usr/sbin/log-summary-ssh This will print out (instead of 1000+ lines of ssh entries) lines like ones below: (normal logcheck output...) Dec 21 21:55:30 host getty[4302]: tty1: input overrun Invalid SSH login attempts: 1056 425 192.0.2.1 391 192.0.2.2 121 192.0.2.3 59 192.0.2.42 44 192.0.2.9 12 192.0.2.65 3 192.0.2.39 1 192.0.2.144 User names tried: 0002593w (1), 127 (1), 16 (1), 1a4 (1), 1dd (1), 22b (1), 2a (1), 4ct (1), 511 (1), 561 (1), 587 (1), 72 (2), 75 (1), 9ia (1), Aaron (2), Aba (2), Abel (2), Account (1), Barrera (1), Castro (1), (cut...) Inverse mapping failures: 44 44 192.0.2.9 !=> www.example.com -- Markus Peuhkuri | http://www.iki.fi/puhuri/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: log-summary-ssh Url: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20051223/de17f12e/attachment.txt
Todd Troxell
2005-Dec-31 12:29 UTC
Bug#307585: [Logcheck-devel] Bug#307585: ssh summaries for logcheck: a helper script
On Fri, Dec 23, 2005 at 08:55:25PM +0200, Markus Peuhkuri wrote:> As original submiter wrote, the ssh scan noise is a problem as important > log entries may get hidden into hundreads of scan lines and workarounds > (rate limits, port changes etc.) result just problems for legimite use. > > I wrote a small perl script that one can run instead of syslog-summary > by defining two lines in logcheck.conf: > > SYSLOGSUMMARY=1 > SYSLOG_SUMMARY=/usr/sbin/log-summary-ssh > > This will print out (instead of 1000+ lines of ssh entries) lines like > ones below: > > (normal logcheck output...) > Dec 21 21:55:30 host getty[4302]: tty1: input overrun > > Invalid SSH login attempts: 1056 > 425 192.0.2.1 > 391 192.0.2.2 > 121 192.0.2.3 > 59 192.0.2.42 > 44 192.0.2.9 > 12 192.0.2.65 > 3 192.0.2.39 > 1 192.0.2.144 > User names tried: > 0002593w (1), 127 (1), 16 (1), 1a4 (1), 1dd (1), 22b (1), 2a (1), > 4ct (1), 511 (1), 561 (1), 587 (1), 72 (2), 75 (1), 9ia (1), > Aaron (2), Aba (2), Abel (2), Account (1), Barrera (1), Castro (1), > (cut...) > > Inverse mapping failures: 44 > 44 192.0.2.9 !=> www.example.comNice! I'll add this to the documentation directory. -- Todd Troxell http://rapidpacket.com/~xtat