On Tue, Sep 21, 2004 at 01:45:46PM +0100, Steve Kemp wrote:
> On Sun, 19 Sep 2004, martin f krafft wrote:
> > > If you ask me, logcheck should learn how to evaluate log messages in
> > > their context...
>   If you want to have instant alerts of  problems then logcheck is 
>  what you want.  If you to ignore some things and still receive timely
>  alerts then you're looking at something which can read your mind!
>   If you can define what it is you don't want to see then logcheck
>  can handle that via the pattern files in logchecks ignore.d/ hierarchy.

 Not if the pattern you want to ignore is more than one line.  egrep is
purely line-by-line.  This worm (or script-kiddie zombie?) always tries
root, admin, then test, ...

 If it ever starts trying account names that actually exist, and aren't
blocked from logging in entirely, I might see if I can get something to use
iptables to block that IP for 15minutes after seeing that sequence, since
it's a perfect signal that it's a bogus attack, and that it will try a bunch
of logins right away, then never come back.

 Has anyone logged the passwords these attacks try?

#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

