[syslog-ng] patterndb: collect login/logout samples
Balazs Scheidler
bazsi at balabit.hu
Tue Jul 13 17:01:37 CEST 2010
Hi,
Thanks, this information is very useful. I'll add them as patterndb
rules into the current set.
btw: it would probably also make sense to mark the status of individual
rulesets, as the current version is really experimental.
On Tue, 2010-07-13 at 15:29 +0200, Siem Korteweg wrote:
> Hi,
>
> Not sure whether the following should be caught.
>
> This message is displayed when an unknown user attempts to log in:
>
> Jul 13 14:29:34 centos53 sshd[12779]: Failed password for invalid user
> xxxx from 127.0.0.1 port 40102 ssh2
>
> When the DenyGroups and/or DenyUsers keywords for sshd are used to restrict
> access (for users in LDAP), the following messages are displayed for users
> that are not allowed to login:
>
> Jul 13 15:05:54 centos53 sshd[13031]: User siem from centos53 not allowed
> because listed in DenyUsers
> Jul 13 15:05:58 centos53 sshd[13031]: Failed password for invalid user
> siem from 127.0.0.1 port 53618 ssh2
>
> and
>
> Jul 13 15:09:15 centos53 sshd[13061]: User siem from centos53 not allowed
> because a group is listed in DenyGroups
> Jul 13 15:09:22 centos53 sshd[13061]: Failed password for invalid user
> siem from 127.0.0.1 port 37397 ssh2
>
> When the AllowGroups and/or AllowUsers keywords are used, the following
> messages are displayed:
>
> Jul 13 15:22:01 centos53 sshd[13155]: User siem from centos53 not allowed
> because not listed in AllowUsers
> Jul 13 15:22:05 centos53 sshd[13155]: Failed password for invalid user
> siem from 127.0.0.1 port 49085 ssh2
>
> and
>
> Jul 13 15:23:48 centos53 sshd[13180]: User siem from centos53 not allowed
> because none of user's groups are listed in AllowGroups
> Jul 13 15:23:53 centos53 sshd[13180]: Failed password for invalid user
> siem from 127.0.0.1 port 33481 ssh2
--
Bazsi
More information about the syslog-ng
mailing list