From owner-freebsd-current@FreeBSD.ORG Sun Oct 23 06:45:20 2011 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE65B106566B for ; Sun, 23 Oct 2011 06:45:20 +0000 (UTC) (envelope-from martin@sugioarto.com) Received: from mailserv.regfish.com (mailserv.regfish.com [79.140.61.33]) by mx1.freebsd.org (Postfix) with ESMTP id 3A6F68FC0A for ; Sun, 23 Oct 2011 06:45:19 +0000 (UTC) Received: (qmail 26005 invoked from network); 23 Oct 2011 06:45:18 -0000 Received: from pd9ec1855.dip0.t-ipconnect.de (HELO yuni.sugioarto.com) (46959-0001@[217.236.24.85]) (envelope-sender ) by mailserv.regfish.com (qmail-ldap-1.03) with SMTP for ; 23 Oct 2011 06:45:18 -0000 Received: from zelda.sugioarto.com (zelda.sugioarto.com [192.168.0.12]) by yuni.sugioarto.com (Postfix) with ESMTP id BB8D91BAC57 for ; Sun, 23 Oct 2011 08:45:14 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sugioarto.com; s=mail; t=1319352314; bh=tOSkXD7GXkmkEju8Pl9g6NTGfS97N56ynUg7pFzydTs=; h=Date:From:To:Subject:Message-ID:Mime-Version:Content-Type; b=jAExBvHg5dtdQDd3kYBNP/nwLbD66Gn9j6GjQteXP5yL6GIb28nebr0OONwX9b0l2 zgMnbuB669mTUcV2YEVkzK9LD0kuAHSgvBqIS2cyjv+B/q+TA6tyQH966e8umMFFkc VJWO0Q9Jj5tMQQrmLJqFf0PiqHrNal66ywwvm4WE= Date: Sun, 23 Oct 2011 08:44:45 +0200 From: Martin Sugioarto To: freebsd-current@freebsd.org Message-ID: <20111023084445.0f47b092@zelda.sugioarto.com> X-Mailer: Claws Mail 3.7.10 (GTK+ 2.24.6; amd64-portbld-freebsd9.0) Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/w6+y5bctJPxOYaqJjwq2YJl"; protocol="application/pgp-signature" Subject: Question about: /etc/periodic/security/800.loginfail X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2011 06:45:20 -0000 --Sig_/w6+y5bctJPxOYaqJjwq2YJl Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi, I noticed that the daily security emails don't show failed logins properly, because the logged string does not match. This is how the lines are grepped for failed logins: n=3D$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" | tee /dev/stderr | wc -l) This is how the lines look like that I don't see: Oct 23 08:21:16 hostname.domain.com sshd[21547]: error: PAM: authentication error for root from xxx.yyy.com Is there a reason why these messages don't belong into the security mails (except that it would blow up the output)? I think that these log lines are much more useful than those "POSSIBLE BREAK-IN ATTEMPT!" lines or pam_ldap errors, like this one below, which don't tell the origin of the attack: Oct 22 00:07:48 hostname.domain.com sshd[77983]: pam_ldap: error trying to bind as user "uid=3Droot,ou=3DPeople,dc=3Ddomain" (Invalid credentials) So the question is if this egrep pipe sufficient and if it tells you precisely enough what's going on. Any opinions on this? -- Martin --Sig_/w6+y5bctJPxOYaqJjwq2YJl Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQIcBAEBAgAGBQJOo7f5AAoJEF8wvLx/5p/7TIIP/1Jx0MpA8bdVWTIeITvaNQOv 11ToLZeG9MdJ6OA/jlM9YRBS2E62fbZpv+tD8xAewiSl5SWHaQBOgPmrm+64z+87 8KSh71LOln4s3YeaPKSr2qTMj/1HfqcQkbZRtPWZfpQUXWm40rQ0BIzLLURqxBT1 jR7nTkOdYMnsJPkDELt443hUrhZI3HG3zQAlTFQLxTsyFars7GISCvRbckvKbT5h K+Kl8x5w3dk5qaJ/8mo8EEATIKG8Q+0z3svWR+8WVTsoZ7qqocXCBcoqq1LabcQE wZLsAANv0wup3xOkLko7zppvs3idxZCFJsjgQTlDFEjPYiSIw1Iz8yy7GcpVODn/ 0QiYPX0yvFsI+z4i8KUa3SoZWVhmyQoj5kyOC0LcO/aAeTVdfhMXq5YDdOK+KAKE r6dUMOVd85sevODtPD0oHI7YuPAZ9kKMWcHoz/k3XVuEf9u+VK3nwCutu/OqbRfJ /mWFIO2BTZBlaGLIYDLSIH7P4G9Voi9E1Uxj4pkif49qjbFL8+89Xgoyfkwsmhnt wWi4eVkOGV5MfzEcyk5JeBXln0Bg4Xp5fE1bOGx5Iwc9VcM6rFSfm2HbxXxfwPl9 txTqwS6m4mfQPAmbVXqs/LTLlV/gx0mxi+gtJzq8cXftQc4kZqv8K7V9JSG/PICL nQZgRrXivmtAEnDM5Nkf =Uh8Q -----END PGP SIGNATURE----- --Sig_/w6+y5bctJPxOYaqJjwq2YJl--