I use logcheck on almost all machines. With the increased SSH brute force attacks of the last 2-3 years, I am now at a point where almost 95% of all logcheck messages are login attempts as root to my machines. On all these machines, sshd root login is restricted to password-less login (RSA/DSA keys), so brute force attacks are never going to succeed. Thus, I am considering to mask out entries of the following sort with logcheck: sshd[5998]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=160.29.165.133 user=root sshd[5998]: Failed password for root from 160.29.165.133 port 47130 ssh2 but somehow am not comfortable to just do it, which is why I am asking for opinions, advice, and feedback from you guys. Would you be able to think of reasons why I would *not* want to do that? I don't really care being informed that my servers are being brute-forced, which is what fail2ban takes care of anyway... Cheers, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "... and so he killed Miguel in a rit of fealous jage." -- inspector clouseau
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)