src/etc/periodic/security/800.loginfail
Garance A Drosehn
gad at FreeBSD.org
Thu Mar 16 22:54:04 UTC 2006
At 3:03 PM +0200 3/16/06, Dmitry Pryanishnikov wrote:
>Hello!
>
>I've noticed the recent addition in this file in order to
>detect "(fail|invalid|bad|illegal)" in auth.log files. I
>wonder would it be useful to also detect SSH.COM's
>server "Refusing connection" messages here. They have the
>following format:
>
>Mar 16 14:56:55 test3 sshd2[74522]: Refusing connection from
>"192.168.1.145". Too many open connections (max 2, now open 2).
On my own machines, I have some scripts which do quite a
bit of clever detailed processing of the authlog file.
But that's the problem, once you start down the road of
matching "everything which might be useful", you open up
a lot of questions as to which messages *are* interesting,
and how they should be displayed in the security-email
message. After all, *everything* in the authlog file is
expected to be interesting in one way or another. Do we
want to copy the entire file into the security email? I
doubt it...
I do think that the processing in the loginfail script
needs to be improved a bit more, but I'm not sure how
far that should go. I am going to try my hand at some
simple awk script, and see what I can come up with. I
do fear I'll just be opening a huge can of worms though.
--
Garance Alistair Drosehn = gad at gilead.netel.rpi.edu
Senior Systems Programmer or gad at FreeBSD.org
Rensselaer Polytechnic Institute; Troy, NY; USA
More information about the freebsd-current
mailing list