Re: PROPOSAL for periodic/security/800.loginfail

From: Garance A Drosehn <gad_at_FreeBSD.org>
Date: Fri, 17 Mar 2006 09:03:39 -0500
At 7:25 AM -0500 3/17/06, Garance A Drosehn wrote:
>
>     yesterday=`date -v-1d "+%b %e "`
>     cat /var/log/auth.log | grep -ia "^$yesterday" | \
>          nawk -f loginfail.nawk
>
>That *should* do about the same as the recent commit
>wanted to do, but [...].  It also prints out a few lines
>that this check hasn't printed before (such as records
>of 'shutdown' reboots).  Not much new, at least not in
>my testing on my systems...

I should note there are a few other debugging options
you can turn on, which show you more details of what
this script is (and is not) matching.  When the script
adds some error message of it's own, it adds some
curly-braces somewhere in that message, so you can
grep through the output for a curly-brace to find
those debugging messages.

The way I've been working on this is to throw more and
more old authlog records at it with various combinations
of debugging options on, and seeing what debug messages
are printed out.  I've just put up a newer version of
the script with a few more improvements based.  This
version will also catch and print out messages such as:

- User uucp not allowed because shell /usr/local/libexec/uucp/uucico 
does not exist
- nologin: Attempted login by games on /dev/ttyp1
- scanned from 127.0.208.24 with SSH-1.0-SSH_Version_Mapper

All three of those are messages that none of the
previous versions of loginfail would have printed out,
but I think they would be of interest to sysadmins.

-- 
Garance Alistair Drosehn     =      gad_at_gilead.netel.rpi.edu
Senior Systems Programmer               or   gad_at_FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA
Received on Fri Mar 17 2006 - 13:03:42 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:53 UTC