lfd alerts sent for allowed IPs
Posted: 19 Feb 2007, 22:19
I've allowed an IP of a client who often generates pop3 login failures due to there being many users at a single location.
If they do something that would result in them getting blocked, such as repeat pop3 login failures, lfd still picks this behaviour up and sends me an email as would be received when an IP gets blocked.
It doesn't really matter since the IP doesn't get blocked, however I think this still counts as a problem for two reasons:
1) It's a bug as the alert email specifically states that the IP was blocked when it wasn't
2) It's inefficient. Since an email alert is generated, I assume lfd is still taking into consideration log file lines that contain an allowed IP. Should lfd not ignore log file lines if an allowed IP is present? Or would doing so end up needing further resources (by having to check each log file line against a list of allowed IPs)?
It's not really much of a concern at all but thought I'd bring it up in case it hasn't be spotted before.
If they do something that would result in them getting blocked, such as repeat pop3 login failures, lfd still picks this behaviour up and sends me an email as would be received when an IP gets blocked.
It doesn't really matter since the IP doesn't get blocked, however I think this still counts as a problem for two reasons:
1) It's a bug as the alert email specifically states that the IP was blocked when it wasn't
2) It's inefficient. Since an email alert is generated, I assume lfd is still taking into consideration log file lines that contain an allowed IP. Should lfd not ignore log file lines if an allowed IP is present? Or would doing so end up needing further resources (by having to check each log file line against a list of allowed IPs)?
It's not really much of a concern at all but thought I'd bring it up in case it hasn't be spotted before.