At 7:25 AM -0500 3/17/06, Garance A Drosehn wrote: > > yesterday=`date -v-1d "+%b %e "` > cat /var/log/auth.log | grep -ia "^$yesterday" | \ > nawk -f loginfail.nawk > >That *should* do about the same as the recent commit >wanted to do, but [...]. It also prints out a few lines >that this check hasn't printed before (such as records >of 'shutdown' reboots). Not much new, at least not in >my testing on my systems... I should note there are a few other debugging options you can turn on, which show you more details of what this script is (and is not) matching. When the script adds some error message of it's own, it adds some curly-braces somewhere in that message, so you can grep through the output for a curly-brace to find those debugging messages. The way I've been working on this is to throw more and more old authlog records at it with various combinations of debugging options on, and seeing what debug messages are printed out. I've just put up a newer version of the script with a few more improvements based. This version will also catch and print out messages such as: - User uucp not allowed because shell /usr/local/libexec/uucp/uucico does not exist - nologin: Attempted login by games on /dev/ttyp1 - scanned from 127.0.208.24 with SSH-1.0-SSH_Version_Mapper All three of those are messages that none of the previous versions of loginfail would have printed out, but I think they would be of interest to sysadmins. -- Garance Alistair Drosehn = gad_at_gilead.netel.rpi.edu Senior Systems Programmer or gad_at_FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USAReceived on Fri Mar 17 2006 - 13:03:42 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC