From e4f125330b261f4c76770c735482df5ce794a9c6 Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Fri, 5 Aug 2005 09:34:26 +0000
Subject: Ignore illegal ssh users (script-kiddie attacks).

---
 logcheck/ignore.d.server/ssh | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'logcheck')

diff --git a/logcheck/ignore.d.server/ssh b/logcheck/ignore.d.server/ssh
index d64d593..56e072a 100644
--- a/logcheck/ignore.d.server/ssh
+++ b/logcheck/ignore.d.server/ssh
@@ -9,3 +9,6 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: refused connect from .*
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Received disconnect from [\.0-9]+: 11: Disconnect requested by Windows SSH Client.$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: subsystem request for sftp$
+
+# Cracking attempts are too common, so clutters more than it helps to warn about them
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: (Failed password from illegal|Illegal) user [[:alnum:]]+ from [\.0-9]+ port [0-9]+( ssh2)?$
-- 
cgit v1.2.3