[syslog-ng] patterndb: collect login/logout samples

Siem Korteweg Siem.Korteweg at qnh.nl
Tue Jul 13 15:29:45 CEST 2010 

Hi,

Not sure whether the following should be caught.

This message is displayed when an unknown user attempts to log in:

   Jul 13 14:29:34 centos53 sshd[12779]: Failed password for invalid user
xxxx from 127.0.0.1 port 40102 ssh2

When the DenyGroups and/or DenyUsers keywords for sshd are used to restrict
access (for users in LDAP), the following messages are displayed for users
that are not allowed to login:

   Jul 13 15:05:54 centos53 sshd[13031]: User siem from centos53 not allowed
because listed in DenyUsers
   Jul 13 15:05:58 centos53 sshd[13031]: Failed password for invalid user
siem from 127.0.0.1 port 53618 ssh2

and

   Jul 13 15:09:15 centos53 sshd[13061]: User siem from centos53 not allowed
because a group is listed in DenyGroups
   Jul 13 15:09:22 centos53 sshd[13061]: Failed password for invalid user
siem from 127.0.0.1 port 37397 ssh2

When the AllowGroups and/or AllowUsers keywords are used, the following
messages are displayed:

   Jul 13 15:22:01 centos53 sshd[13155]: User siem from centos53 not allowed
because not listed in AllowUsers
   Jul 13 15:22:05 centos53 sshd[13155]: Failed password for invalid user
siem from 127.0.0.1 port 49085 ssh2

and

   Jul 13 15:23:48 centos53 sshd[13180]: User siem from centos53 not allowed
because none of user's groups are listed in AllowGroups
   Jul 13 15:23:53 centos53 sshd[13180]: Failed password for invalid user
siem from 127.0.0.1 port 33481 ssh2

regards,
Siem Korteweg

-----Oorspronkelijk bericht-----
Van: syslog-ng-bounces at lists.balabit.hu namens Balazs Scheidler
Verzonden: di 13-7-2010 13:25
Aan: syslog-ng at lists.balabit.hu
Onderwerp: [syslog-ng] patterndb: collect login/logout samples
 
Hi,

After getting the generic patterndb policy into shape, I'd like to start
collecting log samples, preferably in a domain that is useful for
everyone.

My target is at first is login/logout/login failure events. I'd start
with a generic Linux installation and try to cover all applications that
perform authentication.

As a starter, I've commited access/sshd.pdb, containing three rules for
OpenSSH login/logout/login failure events.

I'd head towards standard services, ftp, pop3 and imap authentication,
using their "default" implementation in Ubuntu/Debian. (if there's no
default, I'll just pick one at random).

If any of you can collect these 3 samples of any of the applications
that you run daily on your system and submit them here, it'd be
tremendous use and would be appreciated.

The format of the submission would be preferred in patterndb format (see
the ssh sample I've just pushed), but if you are afraid of that, even
simple samples would be useful, I'll do the markup myself.

-- 
Bazsi

_____________________________________________________________________________
_
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 3964 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100713/b588aab9/attachment.bin

More information about the syslog-ng mailing list