On Wed, May 04, 2005 at 12:55:32PM +0200, maximilian attems wrote: > tags 307585 wontfix > stop > > On Wed, 04 May 2005, Anand Kumria wrote: > > > Package: logcheck > > Version: 1.2.39 > > Severity: wishlist > > > > Hi, > > > > With more and more Internet background radiation, entries like the > > following: > > > > sshd[26955]: Illegal user patrick from ::ffff:64.227.232.25 > > sshd[26862]: Failed password for illegal user rolo from > > ::ffff:64.227.232.25 port 3396 ssh2 > > sshd[26869]: error: Could not get shadow information for NOUSER > > > > are fairly common. It would be good if these log messages were filtered > > out in the server install (there is another set of messages if the user > > actually exists). > > well i'm surprised we didn't get a bug report earlier. > > logcheck needs to trade between worthwile messages and not. > the fact that an dict attack to any box is going on is worthwile to > be reported. > > one should consider restring acces to ssh to trusted ips either with > tcpwrappers or iptables. another possiblity would be to use the recent > module in iptables to reduce the nr. of new connection to the ssh port. > > but i'll leave that open for discussion on logcheck-devel.
Yeah, sorry. We really do want to report these scans. We can't differentiate between a stupid worm and a smart delayed dictionary scan. See http://blog.andrew.net.au/2005/02/17 for some mitigation techniques. -- [ Todd J. Troxell ,''`. Student, Debian GNU/Linux Developer, SysAdmin, Geek : :' : http://debian.org || http://rapidpacket.com/~xtat `. `' `- ] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]