From owner-freebsd-current@FreeBSD.ORG Thu Mar 16 22:54:03 2006 Return-Path: X-Original-To: freebsd-current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E644616A401 for ; Thu, 16 Mar 2006 22:54:03 +0000 (UTC) (envelope-from gad@FreeBSD.org) Received: from smtp5.server.rpi.edu (smtp1.server.rpi.edu [128.113.2.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACEF643D53 for ; Thu, 16 Mar 2006 22:53:57 +0000 (GMT) (envelope-from gad@FreeBSD.org) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp5.server.rpi.edu (8.13.1/8.13.1) with ESMTP id k2GMrlav032675; Thu, 16 Mar 2006 17:53:50 -0500 Mime-Version: 1.0 Message-Id: In-Reply-To: <20060316145826.M96629@atlantis.atlantis.dp.ua> References: <20060316145826.M96629@atlantis.atlantis.dp.ua> Date: Thu, 16 Mar 2006 17:53:46 -0500 To: Dmitry Pryanishnikov , freebsd-current@FreeBSD.org From: Garance A Drosehn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-CanItPRO-Stream: default X-RPI-SA-Score: undef - spam-scanning disabled X-Scanned-By: CanIt (www . canit . ca) Cc: Subject: Re: src/etc/periodic/security/800.loginfail X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 22:54:04 -0000 At 3:03 PM +0200 3/16/06, Dmitry Pryanishnikov wrote: >Hello! > >I've noticed the recent addition in this file in order to >detect "(fail|invalid|bad|illegal)" in auth.log files. I >wonder would it be useful to also detect SSH.COM's >server "Refusing connection" messages here. They have the >following format: > >Mar 16 14:56:55 test3 sshd2[74522]: Refusing connection from >"192.168.1.145". Too many open connections (max 2, now open 2). On my own machines, I have some scripts which do quite a bit of clever detailed processing of the authlog file. But that's the problem, once you start down the road of matching "everything which might be useful", you open up a lot of questions as to which messages *are* interesting, and how they should be displayed in the security-email message. After all, *everything* in the authlog file is expected to be interesting in one way or another. Do we want to copy the entire file into the security email? I doubt it... I do think that the processing in the loginfail script needs to be improved a bit more, but I'm not sure how far that should go. I am going to try my hand at some simple awk script, and see what I can come up with. I do fear I'll just be opening a huge can of worms though. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA