Hi, David Lang wrote: > This is a good point, but you are missing the fact that you are already > logging passwords. > > You are logging failed login attempts, right?
We are logging login attempts, but we don't log the used credentials (only the account name). So we see things like > Jan 13 00:19:09 ws337 sshd[6972]: SSH: Server;Ltype: Authname;Remote: > 221.174.50.141-57911;Name: ts2 [preauth] > Jan 13 00:19:09 ws337 sshd[6972]: Invalid user ts2 from 221.174.50.141 > Jan 13 00:19:09 ws337 sshd[6972]: input_userauth_request: invalid user ts2 > [preauth] > Jan 13 00:19:09 ws337 sshd[6972]: Received disconnect from 221.174.50.141: > 11: Bye Bye [preauth] in logs, but we don't know what password 221.174.50.141 for user ts2 tried. Are you really logging the used full credentials from failed logins? > So you really need to be protecting your log data and/or implement > something better than simple password authentication. Exactly, that's the point! To be honest, I don't know any application, which logging mechanism will log full credentials. You can hack and modify them, to do that, but this is not the default. So normal logs aren't at the same risk in my opinion. But when you log such data, you should take care... no question. -- Regards, Igor _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
