Package: logcheck-database-1.3.13 Version: squeeze Severity: normal
/etc/logcheck/ignore.d.server/ssh is too aggressive in filtering out messages. I accidentally left an SSH port coming in from the Internet open, but I hadn't worried about it too much since I figured logcheck would spam me to death and remind me to close it. It didn't!
I finally found out about the problem because logcheck told me "User * not allowed because shell /sbin/nologin does not exist" where * was various users who had no business SSH'ing in from the 'Net. When I looked into that I found over 9,000 "Failed" messages that logcheck didn't tell me about!
I consider that to be a security bug! You can suggest I should use "paranoid" or not make mistakes with my firewall, but I will still argue that the following should not be ignored in /etc/logcheck/ignore.d.server/ssh (ESPECIALLY the middle one!!!):
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAK-?IN ATTEMPT!$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password|none) for (i(llegal|nvalid) user )?[^[:space:]]* from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+) port [[:digit:]]{1,5} ssh2?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ (\[[:.[:xdigit:]]+\] )?failed - POSSIBLE BREAK-?IN ATTEMPT!$
At the very least they should be commented out, so that it's trivial to enable them if needed. But the default stance here should be to alert, IMO.
-- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
