On Wed, 2013-04-10 at 11:23 +0200, Igor Sverkos wrote: > Hi, > > David Lang wrote: > > This is a good point, but you are missing the fact that you are already > > logging passwords. > > > > You are logging failed login attempts, right? > > We are logging login attempts, but we don't log the used credentials > (only the account name). So we see things like > David's point was subtle, you should re-read his mail very carefully. In short, he said users sometimes mistype the password when the account is asked for (so it gets logged) and then immediately correct it (So that you can guess the account name).
Rainer > > Jan 13 00:19:09 ws337 sshd[6972]: SSH: Server;Ltype: Authname;Remote: > > 221.174.50.141-57911;Name: ts2 [preauth] > > Jan 13 00:19:09 ws337 sshd[6972]: Invalid user ts2 from 221.174.50.141 > > Jan 13 00:19:09 ws337 sshd[6972]: input_userauth_request: invalid user ts2 > > [preauth] > > Jan 13 00:19:09 ws337 sshd[6972]: Received disconnect from 221.174.50.141: > > 11: Bye Bye [preauth] > > in logs, but we don't know what password 221.174.50.141 for user ts2 tried. > > Are you really logging the used full credentials from failed logins? > > > > So you really need to be protecting your log data and/or implement > > something better than simple password authentication. > > Exactly, that's the point! To be honest, I don't know any application, > which logging mechanism will log full credentials. You can hack and > modify them, to do that, but this is not the default. So normal logs > aren't at the same risk in my opinion. > > But when you log such data, you should take care... no question. > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
