On Tue, Jul 04, 2006 at 11:50:07PM +0200, martin f krafft wrote:
> I have rules like this on my servers:
>
> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]+\]:
> [._[:alnum:]-]+ \([._[:alnum:]-]+\[[[:digit:].]{7,15}\]\) (- )USER
> [-_.[:alnum:]]+: no such user found from [._[:alnum:]-]+
> \[[[:digit:].]{7,15}\]\ to [[:digit:].]{7,15}:21$
>
> basically, I just don't care about logins as nonexistent users,
> I get so many of those that I don't even think about contacting
> the netblock operators.
>
> However, is it okay to filter messages of that sort in
> ignore.d.server? I say yes, because there's also paranoid. But
> I want a second opinion on this...
I thought this was previously debated, though I can't locate the thread, so I
may be making that up.
Anyway, my opinion is that it's safe to ignore. An attempt to brute-force
would log mis-authentication of real users anyway.
--
Todd Troxell
http://rapidpacket.com/~xtat
_______________________________________________
Logcheck-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
