Hi, Thanks, this information is very useful. I'll add them as patterndb rules into the current set. btw: it would probably also make sense to mark the status of individual rulesets, as the current version is really experimental. On Tue, 2010-07-13 at 15:29 +0200, Siem Korteweg wrote:
Hi,
Not sure whether the following should be caught.
This message is displayed when an unknown user attempts to log in:
Jul 13 14:29:34 centos53 sshd[12779]: Failed password for invalid user xxxx from 127.0.0.1 port 40102 ssh2
When the DenyGroups and/or DenyUsers keywords for sshd are used to restrict access (for users in LDAP), the following messages are displayed for users that are not allowed to login:
Jul 13 15:05:54 centos53 sshd[13031]: User siem from centos53 not allowed because listed in DenyUsers Jul 13 15:05:58 centos53 sshd[13031]: Failed password for invalid user siem from 127.0.0.1 port 53618 ssh2
and
Jul 13 15:09:15 centos53 sshd[13061]: User siem from centos53 not allowed because a group is listed in DenyGroups Jul 13 15:09:22 centos53 sshd[13061]: Failed password for invalid user siem from 127.0.0.1 port 37397 ssh2
When the AllowGroups and/or AllowUsers keywords are used, the following messages are displayed:
Jul 13 15:22:01 centos53 sshd[13155]: User siem from centos53 not allowed because not listed in AllowUsers Jul 13 15:22:05 centos53 sshd[13155]: Failed password for invalid user siem from 127.0.0.1 port 49085 ssh2
and
Jul 13 15:23:48 centos53 sshd[13180]: User siem from centos53 not allowed because none of user's groups are listed in AllowGroups Jul 13 15:23:53 centos53 sshd[13180]: Failed password for invalid user siem from 127.0.0.1 port 33481 ssh2
-- Bazsi