Question about: /etc/periodic/security/800.loginfail
--Sig_/w6+y5bctJPxOYaqJjwq2YJl
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Hi,
I noticed that the daily security emails don't show failed logins
properly, because the logged string does not match.
This is how the lines are grepped for failed logins:
n=3D$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
tee /dev/stderr | wc -l)
This is how the lines look like that I don't see:
Oct 23 08:21:16 hostname.domain.com sshd[21547]: error: PAM:
authentication error for root from xxx.yyy.com
Is there a reason why these messages don't belong into the security
mails (except that it would blow up the output)? I think that these log
lines are much more useful than those "POSSIBLE BREAK-IN ATTEMPT!"
lines or pam_ldap errors, like this one below, which don't tell the
origin of the attack:
Oct 22 00:07:48 hostname.domain.com sshd[77983]: pam_ldap: error
trying to bind as user "uid=3Droot,ou=3DPeople,dc=3Ddomain" (Invalid
credentials)
So the question is if this egrep pipe sufficient and if it tells you
precisely enough what's going on. Any opinions on this?
--
Martin
--Sig_/w6+y5bctJPxOYaqJjwq2YJl
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIcBAEBAgAGBQJOo7f5AAoJEF8wvLx/5p/7TIIP/1Jx0MpA8bdVWTIeITvaNQOv
11ToLZeG9MdJ6OA/jlM9YRBS2E62fbZpv+tD8xAewiSl5SWHaQBOgPmrm+64z+87
8KSh71LOln4s3YeaPKSr2qTMj/1HfqcQkbZRtPWZfpQUXWm40rQ0BIzLLURqxBT1
jR7nTkOdYMnsJPkDELt443hUrhZI3HG3zQAlTFQLxTsyFars7GISCvRbckvKbT5h
K+Kl8x5w3dk5qaJ/8mo8EEATIKG8Q+0z3svWR+8WVTsoZ7qqocXCBcoqq1LabcQE
wZLsAANv0wup3xOkLko7zppvs3idxZCFJsjgQTlDFEjPYiSIw1Iz8yy7GcpVODn/
0QiYPX0yvFsI+z4i8KUa3SoZWVhmyQoj5kyOC0LcO/aAeTVdfhMXq5YDdOK+KAKE
r6dUMOVd85sevODtPD0oHI7YuPAZ9kKMWcHoz/k3XVuEf9u+VK3nwCutu/OqbRfJ
/mWFIO2BTZBlaGLIYDLSIH7P4G9Voi9E1Uxj4pkif49qjbFL8+89Xgoyfkwsmhnt
wWi4eVkOGV5MfzEcyk5JeBXln0Bg4Xp5fE1bOGx5Iwc9VcM6rFSfm2HbxXxfwPl9
txTqwS6m4mfQPAmbVXqs/LTLlV/gx0mxi+gtJzq8cXftQc4kZqv8K7V9JSG/PICL
nQZgRrXivmtAEnDM5Nkf
=Uh8Q
-----END PGP SIGNATURE-----
--Sig_/w6+y5bctJPxOYaqJjwq2YJl--