Question about: /etc/periodic/security/800.loginfail

[Martin Sugioarto]

Hi,

I noticed that the daily security emails don't show failed logins
properly, because the logged string does not match.

This is how the lines are grepped for failed logins:

n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
            tee /dev/stderr | wc -l)

This is how the lines look like that I don't see:

Oct 23 08:21:16 hostname.domain.com sshd[21547]: error: PAM:
authentication error for root from xxx.yyy.com

Is there a reason why these messages don't belong into the security
mails (except that it would blow up the output)? I think that these log
lines are much more useful than those "POSSIBLE BREAK-IN ATTEMPT!"
lines or pam_ldap errors, like this one below, which don't tell the
origin of the attack:

Oct 22 00:07:48 hostname.domain.com sshd[77983]: pam_ldap: error
trying to bind as user "uid=root,ou=People,dc=domain" (Invalid
credentials)

So the question is if this egrep pipe sufficient and if it tells you
precisely enough what's going on. Any opinions on this?

--
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20111023/5b5f9df1/signature.pgp