Hi, I noticed that the daily security emails don't show failed logins properly, because the logged string does not match. This is how the lines are grepped for failed logins: n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" | tee /dev/stderr | wc -l) This is how the lines look like that I don't see: Oct 23 08:21:16 hostname.domain.com sshd[21547]: error: PAM: authentication error for root from xxx.yyy.com Is there a reason why these messages don't belong into the security mails (except that it would blow up the output)? I think that these log lines are much more useful than those "POSSIBLE BREAK-IN ATTEMPT!" lines or pam_ldap errors, like this one below, which don't tell the origin of the attack: Oct 22 00:07:48 hostname.domain.com sshd[77983]: pam_ldap: error trying to bind as user "uid=root,ou=People,dc=domain" (Invalid credentials) So the question is if this egrep pipe sufficient and if it tells you precisely enough what's going on. Any opinions on this? -- Martin
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:19 UTC