Bug#307585: [Logcheck-devel] Bug#307585: ssh: background noise rules
On Sat, 02 Jul 2005, Anand Kumria wrote: On Wed, May 04, 2005 at 12:55:32PM +0200, maximilian attems wrote: snipp well i'm surprised we didn't get a bug report earlier. logcheck needs to trade between worthwile messages and not. the fact that an dict attack to any box is going on is worthwile to be reported. It's useful to note a dictionary attack is in progress; however the fact that three messages are being logged by sshd for a non-existant user isn't as useful. Ask yourself this? Do either the second or third messages give you any more information than the first? Certainly I can't see any reason why I'd want them versus the first. logcheck can't distinguish between 3x time the same message and 1000x the same message. (and yes there are already wishlist bugs demanding the distinction). so you'd either ignore a message or not, there is no other possibility right now. and as todd confirmed we can't ignore that message. one should consider restring acces to ssh to trusted ips either with tcpwrappers or iptables. another possiblity would be to use the recent module in iptables to reduce the nr. of new connection to the ssh port. Hmm, higher levels of complexity versus three extra regex rules. I know what I'll be doing on machines I administer. well in case you add those 3 regex rules you'll bury your head into sand. ssh has security risks. beside dict attacks it already head exploitable flaws. iirc there is a matrix scene about that. so one better thinks about whom you open your host. -- maks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#307585: [Logcheck-devel] Bug#307585: ssh: background noise rules
On Wed, May 04, 2005 at 12:55:32PM +0200, maximilian attems wrote: tags 307585 wontfix stop On Wed, 04 May 2005, Anand Kumria wrote: Package: logcheck Version: 1.2.39 Severity: wishlist Hi, With more and more Internet background radiation, entries like the following: sshd[26955]: Illegal user patrick from :::64.227.232.25 sshd[26862]: Failed password for illegal user rolo from :::64.227.232.25 port 3396 ssh2 sshd[26869]: error: Could not get shadow information for NOUSER are fairly common. It would be good if these log messages were filtered out in the server install (there is another set of messages if the user actually exists). well i'm surprised we didn't get a bug report earlier. logcheck needs to trade between worthwile messages and not. the fact that an dict attack to any box is going on is worthwile to be reported. It's useful to note a dictionary attack is in progress; however the fact that three messages are being logged by sshd for a non-existant user isn't as useful. Ask yourself this? Do either the second or third messages give you any more information than the first? Certainly I can't see any reason why I'd want them versus the first. one should consider restring acces to ssh to trusted ips either with tcpwrappers or iptables. another possiblity would be to use the recent module in iptables to reduce the nr. of new connection to the ssh port. Hmm, higher levels of complexity versus three extra regex rules. I know what I'll be doing on machines I administer. but i'll leave that open for discussion on logcheck-devel. Our priorities are our users and free software -- http://www.debian.org/social_contract Thanks, Anand -- `When any government, or any church for that matter, undertakes to say to its subjects, This you may not read, this you must not see, this you are forbidden to know, the end result is tyranny and oppression no matter how holy the motives' -- Robert A Heinlein, If this goes on -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#307585: [Logcheck-devel] Bug#307585: ssh: background noise rules
On Thu, May 05, 2005 at 02:39:49AM -0400, Todd Troxell wrote: On Wed, May 04, 2005 at 12:55:32PM +0200, maximilian attems wrote: On Wed, 04 May 2005, Anand Kumria wrote: Package: logcheck Version: 1.2.39 Severity: wishlist sshd[26955]: Illegal user patrick from :::64.227.232.25 sshd[26862]: Failed password for illegal user rolo from :::64.227.232.25 port 3396 ssh2 sshd[26869]: error: Could not get shadow information for NOUSER are fairly common. It would be good if these log messages were filtered out in the server install (there is another set of messages if the user actually exists). logcheck needs to trade between worthwile messages and not. And somehow you both believe that all three message are worthwhile? What iformation do either the second or third message give you? but i'll leave that open for discussion on logcheck-devel. Yeah, sorry. We really do want to report these scans. We can't differentiate between a stupid worm and a smart delayed dictionary scan. See http://blog.andrew.net.au/2005/02/17 for some mitigation techniques. Hmm, extra complexity versus extra regexs. No thanks. Cheers, Anand -- `When any government, or any church for that matter, undertakes to say to its subjects, This you may not read, this you must not see, this you are forbidden to know, the end result is tyranny and oppression no matter how holy the motives' -- Robert A Heinlein, If this goes on -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#307585: [Logcheck-devel] Bug#307585: ssh: background noise rules
On Wed, May 04, 2005 at 12:55:32PM +0200, maximilian attems wrote: tags 307585 wontfix stop On Wed, 04 May 2005, Anand Kumria wrote: Package: logcheck Version: 1.2.39 Severity: wishlist Hi, With more and more Internet background radiation, entries like the following: sshd[26955]: Illegal user patrick from :::64.227.232.25 sshd[26862]: Failed password for illegal user rolo from :::64.227.232.25 port 3396 ssh2 sshd[26869]: error: Could not get shadow information for NOUSER are fairly common. It would be good if these log messages were filtered out in the server install (there is another set of messages if the user actually exists). well i'm surprised we didn't get a bug report earlier. logcheck needs to trade between worthwile messages and not. the fact that an dict attack to any box is going on is worthwile to be reported. one should consider restring acces to ssh to trusted ips either with tcpwrappers or iptables. another possiblity would be to use the recent module in iptables to reduce the nr. of new connection to the ssh port. but i'll leave that open for discussion on logcheck-devel. Yeah, sorry. We really do want to report these scans. We can't differentiate between a stupid worm and a smart delayed dictionary scan. See http://blog.andrew.net.au/2005/02/17 for some mitigation techniques. -- [ Todd J. Troxell ,''`. Student, Debian GNU/Linux Developer, SysAdmin, Geek : :' : http://debian.org || http://rapidpacket.com/~xtat`. `' `- ] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#307585: [Logcheck-devel] Bug#307585: ssh: background noise rules
tags 307585 wontfix stop On Wed, 04 May 2005, Anand Kumria wrote: Package: logcheck Version: 1.2.39 Severity: wishlist Hi, With more and more Internet background radiation, entries like the following: sshd[26955]: Illegal user patrick from :::64.227.232.25 sshd[26862]: Failed password for illegal user rolo from :::64.227.232.25 port 3396 ssh2 sshd[26869]: error: Could not get shadow information for NOUSER are fairly common. It would be good if these log messages were filtered out in the server install (there is another set of messages if the user actually exists). well i'm surprised we didn't get a bug report earlier. logcheck needs to trade between worthwile messages and not. the fact that an dict attack to any box is going on is worthwile to be reported. one should consider restring acces to ssh to trusted ips either with tcpwrappers or iptables. another possiblity would be to use the recent module in iptables to reduce the nr. of new connection to the ssh port. but i'll leave that open for discussion on logcheck-devel. -- maks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]