From owner-freebsd-current@FreeBSD.ORG Fri Mar 17 14:03:42 2006 Return-Path: X-Original-To: freebsd-current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F094C16A401 for ; Fri, 17 Mar 2006 14:03:42 +0000 (UTC) (envelope-from gad@FreeBSD.org) Received: from smtp5.server.rpi.edu (smtp1.server.rpi.edu [128.113.2.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A59D43D53 for ; Fri, 17 Mar 2006 14:03:42 +0000 (GMT) (envelope-from gad@FreeBSD.org) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp5.server.rpi.edu (8.13.1/8.13.1) with ESMTP id k2HE3dnx019574 for ; Fri, 17 Mar 2006 09:03:41 -0500 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <20060316145826.M96629@atlantis.atlantis.dp.ua> <20060317030230.G64324@atlantis.atlantis.dp.ua> Date: Fri, 17 Mar 2006 09:03:39 -0500 To: freebsd-current@FreeBSD.org From: Garance A Drosehn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-CanItPRO-Stream: default X-RPI-SA-Score: undef - spam-scanning disabled X-Scanned-By: CanIt (www . canit . ca) Cc: Subject: Re: PROPOSAL for periodic/security/800.loginfail X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Mar 2006 14:03:43 -0000 At 7:25 AM -0500 3/17/06, Garance A Drosehn wrote: > > yesterday=`date -v-1d "+%b %e "` > cat /var/log/auth.log | grep -ia "^$yesterday" | \ > nawk -f loginfail.nawk > >That *should* do about the same as the recent commit >wanted to do, but [...]. It also prints out a few lines >that this check hasn't printed before (such as records >of 'shutdown' reboots). Not much new, at least not in >my testing on my systems... I should note there are a few other debugging options you can turn on, which show you more details of what this script is (and is not) matching. When the script adds some error message of it's own, it adds some curly-braces somewhere in that message, so you can grep through the output for a curly-brace to find those debugging messages. The way I've been working on this is to throw more and more old authlog records at it with various combinations of debugging options on, and seeing what debug messages are printed out. I've just put up a newer version of the script with a few more improvements based. This version will also catch and print out messages such as: - User uucp not allowed because shell /usr/local/libexec/uucp/uucico does not exist - nologin: Attempted login by games on /dev/ttyp1 - scanned from 127.0.208.24 with SSH-1.0-SSH_Version_Mapper All three of those are messages that none of the previous versions of loginfail would have printed out, but I think they would be of interest to sysadmins. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA