At 3:03 PM +0200 3/16/06, Dmitry Pryanishnikov wrote: >Hello! > >I've noticed the recent addition in this file in order to >detect "(fail|invalid|bad|illegal)" in auth.log files. I >wonder would it be useful to also detect SSH.COM's >server "Refusing connection" messages here. They have the >following format: > >Mar 16 14:56:55 test3 sshd2[74522]: Refusing connection from >"192.168.1.145". Too many open connections (max 2, now open 2). On my own machines, I have some scripts which do quite a bit of clever detailed processing of the authlog file. But that's the problem, once you start down the road of matching "everything which might be useful", you open up a lot of questions as to which messages *are* interesting, and how they should be displayed in the security-email message. After all, *everything* in the authlog file is expected to be interesting in one way or another. Do we want to copy the entire file into the security email? I doubt it... I do think that the processing in the loginfail script needs to be improved a bit more, but I'm not sure how far that should go. I am going to try my hand at some simple awk script, and see what I can come up with. I do fear I'll just be opening a huge can of worms though. -- Garance Alistair Drosehn = gad_at_gilead.netel.rpi.edu Senior Systems Programmer or gad_at_FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USAReceived on Thu Mar 16 2006 - 21:54:03 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC