Menu
▾
▴
Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed
|
From: Mij <mi...@ss...> - 2010-04-29 15:55:02
|
On Apr 29, 2010, at 14:59 , Robert S wrote: > Apr 29 22:49:29 myhost sshd[8307]: User root from xxx.xxx.xxx.99 not > allowed because none of user's groups are listed in AllowGroups > Apr 29 22:49:29 myhost sshguard[8310]: Running 'ps axo pid,ppid'. > Apr 29 22:49:29 myhost sshguard[8301]: Process 8307 is not child of 4547. > Apr 29 22:49:29 myhost sshguard[8301]: Ignore attack as pid '8307' has > been forged for service 100. This can legitimately occur if sshguard gets the log message after the process spawning it exited. In practice, this should happen very rarely with log sucking, say <5% of the times with this pattern on idle servers (sshguard adjusts the monitoring frequency to the log traffic), and nearly never with direct feeding. May you observe different numbers feel free to write in. |
