This file is indexed.

/usr/share/doc/logcheck/README.how.to.interpret is in logcheck 1.3.14.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Interpreting Logcheck Results
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Only experience will tell you what is a problem and what is a mistake.
Generally though you can assume that accidents don't repeat themselves
and do not manifest themselves in unusual ways through normal use of
system resources. If you have a hacker probing your system you can take
a couple of stances:

1) Gandhi
2) Atila the Hun

The Gandhi administrator just lets by-gones be by-gones and allows
the person causing a problem to simply go away, this is a pretty
good idea to follow and prevents provoking the hacker into doing
something nasty like a denial of service attack.

The Atila the Hun administrator takes all actions seriously and
defensively, they may try to find the hacker, or may set up
automated tools to find out who the person is as the attack is in
progress all while paging the administrator to notify them of
trouble. This I think is excessive, for one, any system
connected to the Internet should at least have good enough
security to fend off an attack for a few hours. Personally, I'd
rather be doing something else at 3AM than answering a page
by my firewall for an attack that is going to fail anyway.

Typically you want to fall somewhere in between the two types. You
should be passive for the more mundane probers and ankle-biters.
Simply put, they aren't worth the time and energy to find. The more
aggressive attackers should probably be dealt with through either
denied hosts lists, or router filters. In the more aggressive
stages I will also notify the system administrator of the site and
the host-master for the domain of the problem and include a cut of the
log file showing the infraction.

Most importantly, DON'T OVER-REACT!! It is not necessary to flame
a sysadmin of a site that has a hacker coming from it. A nice and
polite note will usually be OK and will solve the problem! I prefer
to let the site admins know that an account is being used for the
activity because chances are good that the same account was hacked
from them.

-- Craig

crowland@psionic.com