From owner-freebsd-current@FreeBSD.ORG Sun Mar 19 14:00:03 2006 Return-Path: X-Original-To: freebsd-current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FBFD16A423 for ; Sun, 19 Mar 2006 14:00:03 +0000 (UTC) (envelope-from gad@FreeBSD.org) Received: from smtp5.server.rpi.edu (smtp1.server.rpi.edu [128.113.2.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CE9043D48 for ; Sun, 19 Mar 2006 14:00:02 +0000 (GMT) (envelope-from gad@FreeBSD.org) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp5.server.rpi.edu (8.13.1/8.13.1) with ESMTP id k2JE005W001868 for ; Sun, 19 Mar 2006 09:00:00 -0500 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <99353.1142604012@critter.freebsd.dk> Date: Sun, 19 Mar 2006 08:59:59 -0500 To: freebsd-current@FreeBSD.org From: Garance A Drosehn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-CanItPRO-Stream: default X-RPI-SA-Score: undef - spam-scanning disabled X-Scanned-By: CanIt (www . canit . ca) Cc: Subject: Re: PROPOSAL for periodic/security/800.loginfail X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Mar 2006 14:00:03 -0000 At 8:28 AM -0500 3/19/06, Garance A Drosehn wrote: > >So... five cans of Jolt Blue later, I have a new version >of the script available at: >http://people.freebsd.org/~gad/filters/loginfail-V2.nawk Disclaimer: This script is in fine shape for anyone who wants to test it by running a bunch of their own authlog records through it. I would not suggest using it for the daily security-check though! The comments in the script might be out-of-sync with the code. I'm making it available just because I'm taking a break for awhile, and I thought this was good enough to show it off. But I still have more code-rearranging that I plan to do, so don't spend time writing any updates to this specific snapshot. Let me know if it should be doing something else, of course, just don't spend time writing an update to do that. I haven't written changes to 800.loginfail yet. For the initial testing, I was guessing I'd add the script to a new directory: /etc/periodic/helpers and then change the script to do something along the lines of: case "$daily_status_security_loginfail_enable" in [Yy][Ee][Ss]) echo "" echo "${host} login failures:" n=$(catmsgs | egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)" | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0;; [Tt][Ee][Ss][Tt]) echo "" echo "${host} login failures:" n=$(catmsgs | egrep -ia "^$yesterday.*" | \ "${daily_status_security_loginfail_script}" ${daily_status_security_loginfail_flags} |\ tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0;; *) rc=0;; esac And then have the following two variables added to /etc/defaults/periodic.conf : daily_status_security_loginfail_script="/etc/periodic/helpers/loginfail.nawk" daily_status_security_loginfail_flags="sum_sshd_baduserids=5" ...but I have zero experience with any of the periodic scripts, so that is just me guessing at the right things to do. If there's a committer who would want to handle the changes to those files, I would be very happy to let anyone else that part. Just let me know where to put the script once I'm ready to let people test it. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA