jedi_master_ss n00b
Joined: 12 Feb 2004 Posts: 25
|
Posted: Sat May 13, 2006 6:05 am Post subject: LogWatch + remote machine |
|
|
i couldn't find anything about this on the forums or on the wiki. I already have syslogd (on openwrt) setup to talk to syslog-ng (on a gentoo linux boxen) and i have logwatch running on the gentoo machine
I was wondering if anyone has ever gotten a config script setup to properly parse the output from dropbear and dnsmasq
Since i couldn't find anything written anywhere helpful i started creating my own but i ran into some issues:
Code: |
--------------------- DropBear Begin ------------------------
Failed logins from these:
82.226.38.244 (mar92-6-82-226-38-244.fbx.proxad.net): 18 times
root: 18 times
202.111.175.116: 2 times
root: 2 times
Users logging in through sshd:
root:
192.168.1.228 (Yuuzhan.lan):
(all): HASH(0x81e4c14) times
192.168.1.108 (Atlantis.lan):
(all): HASH(0x81e4ba8) times
---------------------- DropBear End -------------------------
| the output from the sucessfull logins is not properly output and yes it seemed someone was trying to have fun w/ the router the previous day
this is a copy the script i started to create some of which i copied directly from the sshd file
/usr/share/logwatch/scripts/services/dropbear:
Code: | use strict;
use Logwatch ':all';
my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my %Users = ();
my %IllegalUsers = ();
my %TooManyFailures = ();
my %NoIdent = ();
my %BindFailed = ();
my %BadLogins = ();
my %NoRevMap = ();
my %RefusedConnections = ();
my %RefusedAuthentication = ();
my %DisconnectReceived = ();
my %RootLogin = ();
my %PamReleaseFail = ();
my %PamError = ();
my %ShadowInfo = ();
my %TTYModesFail = ();
my %LoginLock = ();
my %PostPonedAuth = ();
my %LockedAccount = ();
my %AllowUsers = ();
my %NoShellUsers = ();
my %DeprecatedOption = ();
my %MisMatch = ();
my @BadRSA = ();
my @Scanned = ();
my @OtherList = ();
my $sftpRequests = 0;
my $NetworkErrors = 0;
my $Kills = 0;
my $Starts = 0;
my $NetworkErrors = 0;
while (defined(my $ThisLine = <STDIN>)) {
chomp($ThisLine);
if (($ThisLine =~ /^pam_end: NULL pam handle passed/ )) {
#We Don't care about these
}
elsif ( my ($User,$Host,$Port) = ($ThisLine =~ /^password auth succeeded for '(\S+)' from ([\d\.:a-f]+) : (\d+)/))
{
$Users{$User}{$Host}{"(all)"}++;
}
elsif ( my ($User,$Host,$Port) = ($ThisLine =~ /^bad password attempt for '(\S+)' from ([\d\.:a-f]+):(\d+)/))
{
$BadLogins{$Host}{$User}++;
}
}
#############################################################
if (keys %BadLogins){
print "\nFailed logins from these:\n";
foreach my $ip (sort SortIP keys %BadLogins) {
my $name = LookupIP($ip);
my $totcount = 0;
foreach my $user (keys %{$BadLogins{$ip}}) {
$totcount += $BadLogins{$ip}{$user};
}
my $plural = ($totcount > 1) ? "s" : "";
print " $name: $totcount time$plural\n";
if ($Detail >= 5) {
my $sort = CountOrder(%{$BadLogins{$ip}});
foreach my $user (sort $sort keys %{$BadLogins{$ip}}) {
my $val = $BadLogins{$ip}{$user};
my $plural = ($val > 1) ? "s" : "";
print " $user: $val time$plural\n";
}
}
}
}
if (keys %Users) {
print "\nUsers logging in through sshd:\n";
foreach my $user (sort {$a cmp $b} keys %Users) {
print " $user:\n";
my $totalSort = TotalCountOrder(%{$Users{$user}}, \&SortIP);
foreach my $ip (sort $totalSort keys %{$Users{$user}}) {
my $name = LookupIP($ip);
if ($Detail >= 20) {
print " $name:\n";
my $sort = CountOrder(%{$Users{$user}{$ip}});
foreach my $method (sort $sort keys %{$Users{$user}{$ip}}) {
my $val = $Users{$user}{$ip};
my $plural = ($val > 1) ? "s" : "";
print " $method: $val time$plural\n";
}
} else {
my $val = (values %{$Users{$user}{$ip}})[0];
my $plural = ($val > 1) ? "s" : "";
print " $name: $val time$plural\n";
}
}
}
}
|
i wanted to be able parse out when someone was trying to attack my router from when someone legitimately logged in and also to log all those IP's aswell as log all the DHCP leases since I needed to use WEP128 instead of WPA due to some WDS issues. Just incase some one was attempting to steal bandwidth.
the following is normal output from the syslogd on the router: Code: | May 12 21:31:33 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.160 00:14:bf:25:33:79
May 12 21:31:34 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.160 00:14:bf:25:33:79
May 12 21:40:55 192.168.1.1 -- MARK --
May 12 21:40:55 192.168.1.1 -- MARK --
May 12 21:41:00 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.165 00:0f:66:77:10:cb
May 12 21:41:00 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.165 00:0f:66:77:10:cb MadHatter
May 12 21:41:51 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.150 00:14:bf:bd:4d:af
May 12 21:41:51 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.150 00:14:bf:bd:4d:af Kuma
May 12 21:46:37 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.186 00:14:a5:20:d8:a9
May 12 21:46:37 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.186 00:14:a5:20:d8:a9 Annie
May 12 21:47:22 192.168.1.1 dropbear[1080]: Child connection from 202.111.175.116:59632
May 12 21:47:22 192.168.1.1 dropbear[1080]: exit before auth: Failed to get remote version
May 12 21:50:27 192.168.1.1 dropbear[1081]: Child connection from 202.111.175.116:45822
May 12 21:50:31 192.168.1.1 dropbear[1081]: login attempt for nonexistent user from 202.111.175.116:45822
May 12 21:50:33 192.168.1.1 dropbear[1081]: exit before auth: Disconnect received
May 12 21:50:33 192.168.1.1 dropbear[1082]: Child connection from 202.111.175.116:46017
May 12 21:50:36 192.168.1.1 dropbear[1082]: login attempt for nonexistent user from 202.111.175.116:46017
May 12 21:50:36 192.168.1.1 dropbear[1083]: Child connection from 202.111.175.116:46346
May 12 21:50:37 192.168.1.1 dropbear[1082]: exit before auth: Disconnect received
May 12 21:50:38 192.168.1.1 dropbear[1084]: Child connection from 202.111.175.116:46441
May 12 21:50:40 192.168.1.1 dropbear[1083]: bad password attempt for 'root' from 202.111.175.116:46346
May 12 21:50:41 192.168.1.1 dropbear[1083]: exit before auth (user 'root', 1 fails): Disconnect received
May 12 21:50:41 192.168.1.1 dropbear[1084]: login attempt for nonexistent user from 202.111.175.116:46441
May 12 21:50:41 192.168.1.1 dropbear[1085]: Child connection from 202.111.175.116:46737
May 12 21:50:42 192.168.1.1 dropbear[1084]: exit before auth: Disconnect received
May 12 21:50:42 192.168.1.1 dropbear[1086]: Child connection from 202.111.175.116:46882
May 12 21:50:44 192.168.1.1 dropbear[1087]: Child connection from 202.111.175.116:47249
May 12 21:50:44 192.168.1.1 dropbear[1085]: bad password attempt for 'root' from 202.111.175.116:46737
May 12 21:50:45 192.168.1.1 dropbear[1085]: exit before auth (user 'root', 1 fails): Disconnect received
May 12 21:50:46 192.168.1.1 dropbear[1088]: Child connection from 202.111.175.116:47350
May 12 21:50:46 192.168.1.1 dropbear[1086]: login attempt for nonexistent user from 202.111.175.116:46882
May 12 21:50:47 192.168.1.1 dropbear[1086]: exit before auth: Exited normally
May 12 21:50:47 192.168.1.1 dropbear[1087]: exit before auth: Exited normally
May 12 21:50:48 192.168.1.1 dropbear[1088]: exit before auth: Exited normally
May 12 22:00:55 192.168.1.1 -- MARK --
May 12 22:00:55 192.168.1.1 -- MARK --
May 12 22:03:23 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.108 00:11:24:79:2c:8c
May 12 22:03:23 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.108 00:11:24:79:2c:8c Atlantis
May 12 22:20:55 192.168.1.1 -- MARK --
May 12 22:20:55 192.168.1.1 -- MARK --
May 12 22:24:27 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.228 00:12:17:86:66:a6
May 12 22:24:27 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.228 00:12:17:86:66:a6 Yuuzhan
May 12 22:38:35 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.104 00:09:5b:0a:2f:02
May 12 22:38:35 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.104 00:09:5b:0a:2f:02 linux
May 12 22:40:55 192.168.1.1 -- MARK --
May 12 22:40:56 192.168.1.1 -- MARK --
May 12 23:00:56 192.168.1.1 -- MARK --
May 12 23:00:56 192.168.1.1 -- MARK --
May 12 23:20:56 192.168.1.1 -- MARK --
May 12 23:20:56 192.168.1.1 -- MARK --
May 12 23:40:56 192.168.1.1 -- MARK --
May 12 23:40:56 192.168.1.1 -- MARK --
May 13 00:00:56 192.168.1.1 -- MARK --
May 13 00:00:56 192.168.1.1 -- MARK --
May 13 00:20:56 192.168.1.1 -- MARK --
May 13 00:20:56 192.168.1.1 -- MARK --
May 13 00:35:10 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.213 00:10:b5:0f:5b:ba
May 13 00:35:10 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.213 00:10:b5:0f:5b:ba compaq400
May 13 00:36:55 192.168.1.1 dropbear[1089]: Child connection from 192.168.1.228:3254
May 13 00:37:02 192.168.1.1 dropbear[1089]: password auth succeeded for 'root' from 192.168.1.228:3254
May 13 00:37:41 192.168.1.1 dropbear[1089]: exit after auth (root): Exited normally
May 13 00:37:51 192.168.1.1 dropbear[1093]: Child connection from 192.168.1.228:3256
May 13 00:37:56 192.168.1.1 dropbear[1093]: password auth succeeded for 'root' from 192.168.1.228:3256
May 13 00:39:47 192.168.1.1 dropbear[1093]: exit after auth (root): Exited normally
|
|
|