Re: masking out invalid root logins with logcheck?

To: debian security list <debian-security@lists.debian.org>
Subject: Re: masking out invalid root logins with logcheck?
From: paddy <paddy@panici.net>
Date: Sun, 7 May 2006 10:59:31 +0100
Message-id: <[🔎] 20060507095923.GA28186@cobalt0.panici.net>
Mail-followup-to: debian security list <debian-security@lists.debian.org>
In-reply-to: <[🔎] 20060507071153.GA9693@lapse.madduck.net>
References: <[🔎] 20060507071153.GA9693@lapse.madduck.net>

On Sun, May 07, 2006 at 09:11:53AM +0200, martin f krafft wrote:
> I use logcheck on almost all machines. With the increased SSH brute
> force attacks of the last 2-3 years, I am now at a point where
> almost 95% of all logcheck messages are login attempts as root to my
> machines. On all these machines, sshd root login is restricted to
> password-less login (RSA/DSA keys), so brute force attacks are never
> going to succeed.
> 
> Thus, I am considering to mask out entries of the following sort
> with logcheck:
> 
>   sshd[5998]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=160.29.165.133 user=root
>   sshd[5998]: Failed password for root from 160.29.165.133 port 47130 ssh2
> 
> but somehow am not comfortable to just do it, which is why I am
> asking for opinions, advice, and feedback from you guys. Would you
> be able to think of reasons why I would *not* want to do that?

I too would be interested to hear reasons why *not*.

IMHO logcheck is not so much a way of monitoring and analysing what's
going on on your systems as a way of filtering out what you already
have better covered by other systems.  

If you are confident that you have all the bases covered without those
lines, then they're just noise, and noise removal is what logcheck is
for.

So ask yourself: is there any variation of a logcheck report in which
seeing lines like that you would actually learn something useful or
be prompted to do something that you wouldn't get better from your
other systems.

But I've said the same thing three times :-)

I suppose, more constructively, it might be useful to hear about 
what people think constitutes a better system than reading such
logs and why.

> I don't really care being informed that my servers are being
> brute-forced, which is what fail2ban takes care of anyway...

If there were a dramatic change in the pattern of such attacks,
would you know, would you care ?

Are there specific IPs and/or networks that you care more or care
less about ?

Is there any worthwhile analysis of such traffic beyond "there are 
these attacks and we don't care about them" ? do you need it ?
do you already have it ?

Regards,
Paddy
-- 
Perl 6 will give you the big knob. -- Larry Wall

Reply to:

Follow-Ups:
- Re: masking out invalid root logins with logcheck?
  - From: martin f krafft <madduck@debian.org>

References:
- masking out invalid root logins with logcheck?
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: masking out invalid root logins with logcheck?
Next by Date: Re: masking out invalid root logins with logcheck?
Previous by thread: Re: masking out invalid root logins with logcheck?
Next by thread: Re: masking out invalid root logins with logcheck?
Index(es):
- Date
- Thread