From owner-freebsd-current@FreeBSD.ORG  Thu Sep  9 01:55:55 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6025516A4D0
	for <current@freebsd.org>; Thu,  9 Sep 2004 01:55:55 +0000 (GMT)
Received: from carver.gumbysoft.com (carver.gumbysoft.com [66.220.23.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4433543D39
	for <current@freebsd.org>; Thu,  9 Sep 2004 01:55:55 +0000 (GMT)
	(envelope-from dwhite@gumbysoft.com)
Received: by carver.gumbysoft.com (Postfix, from userid 1000)
	id 36CEC72DD5; Wed,  8 Sep 2004 18:55:55 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by carver.gumbysoft.com (Postfix) with ESMTP id 34A3C72DD4;
	Wed,  8 Sep 2004 18:55:55 -0700 (PDT)
Date: Wed, 8 Sep 2004 18:55:55 -0700 (PDT)
From: Doug White <dwhite@gumbysoft.com>
To: Ryan Sommers <ryans@gamersimpact.com>
In-Reply-To: <50241.208.4.77.15.1093981761.squirrel@www2.neuroflux.com>
Message-ID: <20040908185203.K81868@carver.gumbysoft.com>
References: <50241.208.4.77.15.1093981761.squirrel@www2.neuroflux.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: current@freebsd.org
Subject: Re: Periodic security
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2004 01:55:55 -0000

On Tue, 31 Aug 2004, Ryan Sommers wrote:

> Slight modification to the loginfail script for periodics. This will catch
> sshd, proftpd and su errors, as well as other programs, better.

The drawback to this is that it will log multiple messages from ssh since
it prints a couple of 'illegal' lines before the "failed password for
illegal user ...' line.  It'd be nice to filter those down somewhat.

>
> --- 800.loginfail       Mon Aug 30 21:50:50 2004
> +++ 800.loginfail       Mon Aug 30 21:51:53 2004
> @@ -59,7 +59,7 @@
>      [Yy][Ee][Ss])
>         echo ""
>         echo "${host} login failures:"
> -       n=$(catmsgs | grep -ia "^$yesterday.*fail" |
> +       n=$(catmsgs | egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)" |
>             tee /dev/stderr | wc -l)
>         [ $n -gt 0 ] && rc=1 || rc=0;;
>      *) rc=0;;
>
>

-- 
Doug White                    |  FreeBSD: The Power to Serve
dwhite@gumbysoft.com          |  www.FreeBSD.org