FreeBSD 10-STABLE periodic/security/800-loginfail

[jhellenthal at dataix.net]

It seems that AFAIK is missing a pattern to match "not allowed" entries in auth.log

I would like to propose the following channges upon this subject...

Initially I would like to see patterns be more specific and case sensitive.
	* This is due to many pattern matching problems like invalid_userauth_request matching case insensitive pattern "invalid" that was meant to catch "Invalid login" but does not provide any useful information when relayed to the user.

I would like to see the egrep statement inturn changed to (grep -E).
	* This is just a nit-pick for portability sake.

Also move away from storing the pattern matching statically in the 800-loginfail file directly.
	* Store somewhere else like /etc/periodic/security/loginpatterns
	* Include the ability to allow users to pattern match on /etc/userpatterns (whatever you wanna call it...)
	* If may be used further by other user aided scripts to parse logs too.

I would suggest the following patterns to match on to begin with.
	* "User.*.from.*.not.allowed"
	* "Invalid.user.*.from."
	* "authentication.error.for.illegal.user.*.from"
	* "Did.not.receive.identification.string.from"

I am sure there are plenty of other patterns to match on but this takes care of sshd and most system level logs AFAIA

Wrapping this up though my main concern is getting rid of what is not useful to someone or anyone in the form of an email like the input_useraut_request messages. I personally would rather see where it started at along with the ip-address and parse the logs later if I am concerned about one of those entries.




-- 

 - (2^(N-1)) JJH48-ARIN