Log messages - "Failed password", "Invalid User", "User .. from .. not allowed"
From: Avinash Chopde (avinashc_at_yahoo.com)
Date: 07/26/05
- Previous message: Derek Martin: "Re: sftp redirect to common folder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Jul 2005 11:36:39 -0700 (PDT) To: secureshell@securityfocus.com
For atleast certain users (that includes me!), locking
out IP addresses on SSH failures is acceptable, and it
works fine to block out script-kiddies.
Most people have used the script I have with no
problems.
http://www.aczoom.com/cms/blockhosts
The script assumes that the sshd install (atleast on
Fedora) always prints out a "Failed <method> for ..."
on a failed password, for example. It may print out an
additional line in the log, such as "Illegal user..".
Looking for IP addresses in the "Failed..." line is
what I use to count and then block that IP address.
But some people have reported that some OpenSSH
installs do not print that "Failed ... " line.
Instead, those installs print out a "Invalid user" or
a "User ... from ... not allowed" line.
For example, see this comment thread:
http://www.aczoom.com/cms/blockhosts#comment-22
I am trying to figure out if this is because of the
configuration, or if this changed between OpenSSH
releases.
I certainly understand that parsing logs is not an
exact science, and log lines are bound to change, etc,
and the issues of denial-of-service, etc.
Any info on this appreciated!
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
- Previous message: Derek Martin: "Re: sftp redirect to common folder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
