At 1:01p -0400 on 16 May 2007, Oliver Block wrote:
I had some trouble with someone who is trashing my logins with fake
login
attempts. Actually that individual is never trying to login, but
does only
initiate connections with my system without sending any passwords.
Do you see any security risk by setting the LogLevel to ERROR?
Perhaps I'm paranoid, but I /like/ to see warnings in my logs. They
can be indicators of impending doom. (Okay, a little dramatic, but
bear with me! :-) )
First, I find it curious that they're not sending passwords. Are you
sure they're /fake/ login attempts? A common theme is to brutus a
system to try to guess u/p combinations.
Second, if they truly aren't sending passwords, I'd think the login
would time them out fairly shortly. Perhaps the bot is just probing?
In any event, the log messages are annoying to you and likely an
indicator of malicious activity. A common defense against annoying-
log-filling/brute-force-attacks is to only allow a certain number of
connections from a given IP address or range over a period of time
(e.g., after 3 failed login attempts in a minute, block the IP for an
hour). This would be done at your firewall.
My $0.02.
Kevin
