Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 23 Oct 2011 08:44:45 +0200
From:      Martin Sugioarto <martin@sugioarto.com>
To:        freebsd-current@freebsd.org
Subject:   Question about: /etc/periodic/security/800.loginfail
Message-ID:  <20111023084445.0f47b092@zelda.sugioarto.com>
index | next in thread | raw e-mail 

[-- Attachment #1 --]

Hi,

I noticed that the daily security emails don't show failed logins
properly, because the logged string does not match.

This is how the lines are grepped for failed logins:

n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
            tee /dev/stderr | wc -l)

This is how the lines look like that I don't see:

Oct 23 08:21:16 hostname.domain.com sshd[21547]: error: PAM:
authentication error for root from xxx.yyy.com

Is there a reason why these messages don't belong into the security
mails (except that it would blow up the output)? I think that these log
lines are much more useful than those "POSSIBLE BREAK-IN ATTEMPT!"
lines or pam_ldap errors, like this one below, which don't tell the
origin of the attack:

Oct 22 00:07:48 hostname.domain.com sshd[77983]: pam_ldap: error
trying to bind as user "uid=root,ou=People,dc=domain" (Invalid
credentials)

So the question is if this egrep pipe sufficient and if it tells you
precisely enough what's going on. Any opinions on this?

--
Martin

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iQIcBAEBAgAGBQJOo7f5AAoJEF8wvLx/5p/7TIIP/1Jx0MpA8bdVWTIeITvaNQOv
11ToLZeG9MdJ6OA/jlM9YRBS2E62fbZpv+tD8xAewiSl5SWHaQBOgPmrm+64z+87
8KSh71LOln4s3YeaPKSr2qTMj/1HfqcQkbZRtPWZfpQUXWm40rQ0BIzLLURqxBT1
jR7nTkOdYMnsJPkDELt443hUrhZI3HG3zQAlTFQLxTsyFars7GISCvRbckvKbT5h
K+Kl8x5w3dk5qaJ/8mo8EEATIKG8Q+0z3svWR+8WVTsoZ7qqocXCBcoqq1LabcQE
wZLsAANv0wup3xOkLko7zppvs3idxZCFJsjgQTlDFEjPYiSIw1Iz8yy7GcpVODn/
0QiYPX0yvFsI+z4i8KUa3SoZWVhmyQoj5kyOC0LcO/aAeTVdfhMXq5YDdOK+KAKE
r6dUMOVd85sevODtPD0oHI7YuPAZ9kKMWcHoz/k3XVuEf9u+VK3nwCutu/OqbRfJ
/mWFIO2BTZBlaGLIYDLSIH7P4G9Voi9E1Uxj4pkif49qjbFL8+89Xgoyfkwsmhnt
wWi4eVkOGV5MfzEcyk5JeBXln0Bg4Xp5fE1bOGx5Iwc9VcM6rFSfm2HbxXxfwPl9
txTqwS6m4mfQPAmbVXqs/LTLlV/gx0mxi+gtJzq8cXftQc4kZqv8K7V9JSG/PICL
nQZgRrXivmtAEnDM5Nkf
=Uh8Q
-----END PGP SIGNATURE-----
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111023084445.0f47b092>