Date: Thu, 16 Mar 2006 17:53:46 -0500 From: Garance A Drosehn <gad@FreeBSD.org> To: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>, freebsd-current@FreeBSD.org Subject: Re: src/etc/periodic/security/800.loginfail Message-ID: <p06230912c03f933e0d8e@[128.113.24.47]> In-Reply-To: <20060316145826.M96629@atlantis.atlantis.dp.ua> References: <20060316145826.M96629@atlantis.atlantis.dp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
At 3:03 PM +0200 3/16/06, Dmitry Pryanishnikov wrote: >Hello! > >I've noticed the recent addition in this file in order to >detect "(fail|invalid|bad|illegal)" in auth.log files. I >wonder would it be useful to also detect SSH.COM's >server "Refusing connection" messages here. They have the >following format: > >Mar 16 14:56:55 test3 sshd2[74522]: Refusing connection from >"192.168.1.145". Too many open connections (max 2, now open 2). On my own machines, I have some scripts which do quite a bit of clever detailed processing of the authlog file. But that's the problem, once you start down the road of matching "everything which might be useful", you open up a lot of questions as to which messages *are* interesting, and how they should be displayed in the security-email message. After all, *everything* in the authlog file is expected to be interesting in one way or another. Do we want to copy the entire file into the security email? I doubt it... I do think that the processing in the loginfail script needs to be improved a bit more, but I'm not sure how far that should go. I am going to try my hand at some simple awk script, and see what I can come up with. I do fear I'll just be opening a huge can of worms though. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p06230912c03f933e0d8e>