On Fri, Dec 23, 2005 at 08:55:25PM +0200, Markus Peuhkuri wrote: > As original submiter wrote, the ssh scan noise is a problem as important > log entries may get hidden into hundreads of scan lines and workarounds > (rate limits, port changes etc.) result just problems for legimite use. > > I wrote a small perl script that one can run instead of syslog-summary > by defining two lines in logcheck.conf: > > SYSLOGSUMMARY=1 > SYSLOG_SUMMARY=/usr/sbin/log-summary-ssh > > This will print out (instead of 1000+ lines of ssh entries) lines like > ones below: > > (normal logcheck output...) > Dec 21 21:55:30 host getty[4302]: tty1: input overrun > > Invalid SSH login attempts: 1056 > 425 192.0.2.1 > 391 192.0.2.2 > 121 192.0.2.3 > 59 192.0.2.42 > 44 192.0.2.9 > 12 192.0.2.65 > 3 192.0.2.39 > 1 192.0.2.144 > User names tried: > 0002593w (1), 127 (1), 16 (1), 1a4 (1), 1dd (1), 22b (1), 2a (1), > 4ct (1), 511 (1), 561 (1), 587 (1), 72 (2), 75 (1), 9ia (1), > Aaron (2), Aba (2), Abel (2), Account (1), Barrera (1), Castro (1), > (cut...) > > Inverse mapping failures: 44 > 44 192.0.2.9 !=> www.example.com
Nice! I'll add this to the documentation directory. -- Todd Troxell http://rapidpacket.com/~xtat -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]