[1381] in linux-security and linux-alert archive
[linux-security] Re: logwatching
daemon@ATHENA.MIT.EDU (Matt)
Thu Jan 16 09:18:56 1997
To: linux-security@tarsier.cv.nrao.edu
From: Matt <panzer@dhp.com>
Date: 8 Jan 1997 03:25:24 GMT
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
*Hobbit* <hobbit@avian.org> wrote:
: If it's any help, here's a sed script that is reasonably good at pulling out
: suspicious-looking items generated by various daemons. Fix appropriately...
Before people start hacking out their own custom versions of SED, please
try swatch v2.1 (not 2.2). It does this already and has code to
automatically do something when a trigger is activated, see below for
SAMPLE config. (portcullis is our router)
/portcullis.*login failed/ mail=admin
/portcullis.*restarted/ exec="/usr/local/bin/tpage - `date +%m%d%H%M`:$0"
I've been basically going through stuff and looking for error messages
that would symbolize something strange. However, there is a huge number
of error messages that people have decided mean a security problem.... :)
--
-Matt (panzer@dhp.com) -- DataHaven Project - http://www.dhp.com/
"That which can never be enforced should not be prohibited."
[mod: and Craig H. Rowland (crowland@psionic.com) adds: -- REW]
I have a program called logcheck that does just this. It's a clone of a
log checker found on TIS Gauntlet and works very well with systems
with TCP wrappers and/or the TIS Firewall Toolkit. It works very
well on standard Linux (RedHat, Slackware), FreeBSD(2.x), BSDI(1.1, 2,X)
and other similiar UNIX BSD OS types.
You can find this program at http://www.psionic.com/logcheck.html
The current version is 1.01, there will be an update to 1.1 in a few
weeks.
This site is on a poor 28.8 connection so please be patient if it is slow.
It is probably mirrored at various archives (COAST), if anyone else wishes
to mirror please feel free.
Thanks,
-- Craig