Date: Wed, 8 Sep 2004 18:55:55 -0700 (PDT) From: Doug White <dwhite@gumbysoft.com> To: Ryan Sommers <ryans@gamersimpact.com> Cc: current@freebsd.org Subject: Re: Periodic security Message-ID: <20040908185203.K81868@carver.gumbysoft.com> In-Reply-To: <50241.208.4.77.15.1093981761.squirrel@www2.neuroflux.com> References: <50241.208.4.77.15.1093981761.squirrel@www2.neuroflux.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 31 Aug 2004, Ryan Sommers wrote:
> Slight modification to the loginfail script for periodics. This will catch
> sshd, proftpd and su errors, as well as other programs, better.
The drawback to this is that it will log multiple messages from ssh since
it prints a couple of 'illegal' lines before the "failed password for
illegal user ...' line. It'd be nice to filter those down somewhat.
>
> --- 800.loginfail Mon Aug 30 21:50:50 2004
> +++ 800.loginfail Mon Aug 30 21:51:53 2004
> @@ -59,7 +59,7 @@
> [Yy][Ee][Ss])
> echo ""
> echo "${host} login failures:"
> - n=$(catmsgs | grep -ia "^$yesterday.*fail" |
> + n=$(catmsgs | egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)" |
> tee /dev/stderr | wc -l)
> [ $n -gt 0 ] && rc=1 || rc=0;;
> *) rc=0;;
>
>
--
Doug White | FreeBSD: The Power to Serve
dwhite@gumbysoft.com | www.FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040908185203.K81868>