Hello Martin,
* martin f krafft <madduck@debian.org>, [2006-05-07 9:11 +0200]:
> Thus, I am considering to mask out entries of the following sort
> with logcheck:
>
> sshd[5998]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=160.29.165.133 user=root
> sshd[5998]: Failed password for root from 160.29.165.133 port 47130 ssh2
>
> but somehow am not comfortable to just do it, which is why I am
> asking for opinions, advice, and feedback from you guys. Would you
> be able to think of reasons why I would *not* want to do that?
The only situation I've been able to imagine is a human error leading to
a change to your security policy.
For instance, a co-worker which temporary allows remote root logins, god
knows why. I'd be sad of my choice of filtering out root login attempts
in that case.
ciao,
ema
Attachment:
signature.asc
Description: Digital signature