Hello Martin, * martin f krafft <madduck@debian.org>, [2006-05-07 9:11 +0200]: > Thus, I am considering to mask out entries of the following sort > with logcheck: > > sshd[5998]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=160.29.165.133 user=root > sshd[5998]: Failed password for root from 160.29.165.133 port 47130 ssh2 > > but somehow am not comfortable to just do it, which is why I am > asking for opinions, advice, and feedback from you guys. Would you > be able to think of reasons why I would *not* want to do that? The only situation I've been able to imagine is a human error leading to a change to your security policy. For instance, a co-worker which temporary allows remote root logins, god knows why. I'd be sad of my choice of filtering out root login attempts in that case. ciao, ema
Attachment:
signature.asc
Description: Digital signature