What are reasonable blockers for making journald the default logger in F19?

Miloslav Trma─Ź mitr at volny.cz
Thu Oct 18 11:32:49 UTC 2012


On Wed, Oct 17, 2012 at 10:01 PM, Andrew Schultz <ajschult at verizon.net> wrote:
>> Additionally, it maybe useful to log this information for intrusion
>> detection and correlation.
>
> Again, you don't need to know that the attacker guessed a username of "bob".
> You simply need to recognize that N attempts were made to log in with
> unknown usernames during some time period.

A few years ago, I was a sysadmin of a computer that was compromised
by guessing a password of an user account.  It was extremely useful to
have the log of which specific user names were attempted, because
these were not random user names from a dictionary, but names of
employees of the institution in question - and could even indicate the
department which owned the other compromised computer.
    Mirek


More information about the devel mailing list