Periodic security
Doug White
dwhite at gumbysoft.com
Wed Sep 8 18:55:55 PDT 2004
On Tue, 31 Aug 2004, Ryan Sommers wrote:
> Slight modification to the loginfail script for periodics. This will catch
> sshd, proftpd and su errors, as well as other programs, better.
The drawback to this is that it will log multiple messages from ssh since
it prints a couple of 'illegal' lines before the "failed password for
illegal user ...' line. It'd be nice to filter those down somewhat.
>
> --- 800.loginfail Mon Aug 30 21:50:50 2004
> +++ 800.loginfail Mon Aug 30 21:51:53 2004
> @@ -59,7 +59,7 @@
> [Yy][Ee][Ss])
> echo ""
> echo "${host} login failures:"
> - n=$(catmsgs | grep -ia "^$yesterday.*fail" |
> + n=$(catmsgs | egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)" |
> tee /dev/stderr | wc -l)
> [ $n -gt 0 ] && rc=1 || rc=0;;
> *) rc=0;;
>
>
--
Doug White | FreeBSD: The Power to Serve
dwhite at gumbysoft.com | www.FreeBSD.org
More information about the freebsd-current
mailing list