Re: [sec] Re: failed root login attempts
On Sun, 19 Sep 2004, martin f krafft wrote:
> also sprach Noah Meyerhans <noahm@debian.org> [2004.09.19.2219 +0200]:
> > As an additional point against these scripts, they are host based.
> > If I'm going to bother blackholing the source of these login
> > attempts, I'm going to do it at the border. Yes, I can write
> > scripts to react to this kind of scanning and have it
> > automatically manipulate access lists on the routers, I'm not sure
> > I really like the idea. I'm sort of leaning in that direction, at
> > this point, though, just to shut up logcheck without telling it to
> > ignore all failed root login attempts.
>
> If you ask me, logcheck should learn how to evaluate log messages in
> their context...
hmm there are ideas for logcheck after sarge+1, please elaborate.
ATM logcheck is a pretty dumb `egrep -v' wrapper of your logs.
that symplicity of design has it's strength,
but there are for example demands for trigger values.
--
maks
Reply to: