Matthew Miller wrote:
On Wed, Oct 17, 2012 at 03:07:19PM -0400, Andrew Schultz wrote:
and if you log all attempts to login, then they'll end up in the
logs. I'd suggest that not logging unknown users by default is a
much better solution than having a special log; no admin wants to
see passwords (even if they're root) and unknown usernames (either
typos or passwords) are rarely helpful.
I don't think that's true. "You're typing the wrong username" happened to me
on multiple occasions when I was doing that kind of support.
I don't have a problem with logging the fact that a user attempted to
log in with an unknown username, and that would be sufficient for the
your diagnosis (if you can correlate times). If you can't correlate
times, then you get to scrape the logs looking for similar but invalid
usernames. A simple "what user name are you trying to log in as?" would
go much faster.
Additionally, it maybe useful to log this information for intrusion
detection and correlation.
Again, you don't need to know that the attacker guessed a username of
"bob". You simply need to recognize that N attempts were made to log in
with unknown usernames during some time period.
And, in general, authpriv exists as a mechanism for logging any sort of
potentially private data. It would be a security regression to ignore that.
Not seeing useless (typos) and confidential (passwords) information is
not a security regression. And I'm having trouble thinking of other
information that is super-private (should only be seen by root) and useful.
--
Andrew Schultz
ajs42@xxxxxxxxxxx
http://www.sens.buffalo.edu/~ajs42/
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
