On Mon, Oct 03, 2005 at 10:24:09PM -0400, Yaroslav Halchenko wrote: > Besides that regular users or sysadmins are not even supposed to "tune" > failregex to have basic functionality to be performed. Me (and the upstream) > author are going to incorporate or at least include in the package more > of the configurations for different servers (imap, smtp, etc).
Perhaps, but maybe i'm maintaining my own ssh, or I add an additional service not managed by debian. Admittedly I'd really like to have it "just work" and not think about it too much. > > Is this a reasonable approach? > > > 1) Regex which identifies a false login. This can be as simple as > > before. If someone logs in as "illegal user" to create a false > > positive, so be it. > > > 2) Second pattern which simply identifies the IP address component > > of the line. > > Well - that is how it was done before, and lead to the security breach. What was done before was the line was scanned for anything which resembles an IP address. What I am suggesting is a regex which specifies where in the line the IP address should be. I am assuming that these errors place the IP address in an obvious and known location, and that seperating this scan from the identification of the lines with the error will simplify such a regex. This assumption might be wrong. -josh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
