[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

masking out invalid root logins with logcheck?



I use logcheck on almost all machines. With the increased SSH brute
force attacks of the last 2-3 years, I am now at a point where
almost 95% of all logcheck messages are login attempts as root to my
machines. On all these machines, sshd root login is restricted to
password-less login (RSA/DSA keys), so brute force attacks are never
going to succeed.

Thus, I am considering to mask out entries of the following sort
with logcheck:

  sshd[5998]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=160.29.165.133 user=root
  sshd[5998]: Failed password for root from 160.29.165.133 port 47130 ssh2

but somehow am not comfortable to just do it, which is why I am
asking for opinions, advice, and feedback from you guys. Would you
be able to think of reasons why I would *not* want to do that?

I don't really care being informed that my servers are being
brute-forced, which is what fail2ban takes care of anyway...

Cheers,

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
"... and so he killed Miguel in a rit of fealous jage."
                                               -- inspector clouseau

Attachment: signature.asc
Description: Digital signature (GPG/PGP)


Reply to: