Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
LogWatch + remote machine
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jedi_master_ss
n00b
n00b


Joined: 12 Feb 2004
Posts: 25

PostPosted: Sat May 13, 2006 6:05 am    Post subject: LogWatch + remote machine Reply with quote

i couldn't find anything about this on the forums or on the wiki. I already have syslogd (on openwrt) setup to talk to syslog-ng (on a gentoo linux boxen) and i have logwatch running on the gentoo machine
I was wondering if anyone has ever gotten a config script setup to properly parse the output from dropbear and dnsmasq

Since i couldn't find anything written anywhere helpful i started creating my own but i ran into some issues:
Code:

--------------------- DropBear Begin ------------------------

 Failed logins from these:
    82.226.38.244 (mar92-6-82-226-38-244.fbx.proxad.net): 18 times
       root: 18 times
    202.111.175.116: 2 times
       root: 2 times

 Users logging in through sshd:
    root:
       192.168.1.228 (Yuuzhan.lan):
          (all): HASH(0x81e4c14) times
       192.168.1.108 (Atlantis.lan):
          (all): HASH(0x81e4ba8) times

 ---------------------- DropBear End -------------------------
the output from the sucessfull logins is not properly output and yes it seemed someone was trying to have fun w/ the router the previous day

this is a copy the script i started to create some of which i copied directly from the sshd file
/usr/share/logwatch/scripts/services/dropbear:
Code:
use strict;
use Logwatch ':all';

my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;

my %Users = ();
my %IllegalUsers = ();
my %TooManyFailures = ();
my %NoIdent = ();
my %BindFailed = ();
my %BadLogins = ();
my %NoRevMap = ();
my %RefusedConnections = ();
my %RefusedAuthentication = ();
my %DisconnectReceived = ();
my %RootLogin = ();
my %PamReleaseFail = ();
my %PamError = ();
my %ShadowInfo = ();
my %TTYModesFail = ();
my %LoginLock = ();
my %PostPonedAuth = ();
my %LockedAccount = ();
my %AllowUsers = ();
my %NoShellUsers = ();
my %DeprecatedOption = ();
my %MisMatch = ();
my @BadRSA = ();
my @Scanned = ();
my @OtherList = ();

my $sftpRequests = 0;
my $NetworkErrors = 0;
my $Kills = 0;
my $Starts = 0;
my $NetworkErrors = 0;

while (defined(my $ThisLine = <STDIN>)) {
   chomp($ThisLine);
   if (($ThisLine =~ /^pam_end: NULL pam handle passed/ )) {
      #We Don't care about these
   }
   elsif ( my ($User,$Host,$Port) = ($ThisLine =~ /^password auth succeeded for '(\S+)' from ([\d\.:a-f]+) : (\d+)/))
   {
      $Users{$User}{$Host}{"(all)"}++;
   }
   elsif ( my ($User,$Host,$Port) = ($ThisLine =~ /^bad password attempt for '(\S+)' from ([\d\.:a-f]+):(\d+)/))
   {
      $BadLogins{$Host}{$User}++;
   }
}

#############################################################

if (keys %BadLogins){
   print "\nFailed logins from these:\n";
   foreach my $ip (sort SortIP keys %BadLogins) {
      my $name = LookupIP($ip);
      my $totcount = 0;
      foreach my $user (keys %{$BadLogins{$ip}}) {
            $totcount += $BadLogins{$ip}{$user};
      }
      my $plural = ($totcount > 1) ? "s" : "";
      print "   $name: $totcount time$plural\n";
      if ($Detail >= 5) {
         my $sort = CountOrder(%{$BadLogins{$ip}});
         foreach my $user (sort $sort keys %{$BadLogins{$ip}}) {
            my $val = $BadLogins{$ip}{$user};
            my $plural = ($val > 1) ? "s" : "";
            print "      $user: $val time$plural\n";
         }
      }
   }
}

if (keys %Users) {
   print "\nUsers logging in through sshd:\n";
   foreach my $user (sort {$a cmp $b} keys %Users) {
      print "   $user:\n";
      my $totalSort = TotalCountOrder(%{$Users{$user}}, \&SortIP);
      foreach my $ip (sort $totalSort keys %{$Users{$user}}) {
         my $name = LookupIP($ip);
         if ($Detail >= 20) {
            print "      $name:\n";
            my $sort = CountOrder(%{$Users{$user}{$ip}});
            foreach my $method (sort $sort keys %{$Users{$user}{$ip}}) {
               my $val = $Users{$user}{$ip};
               my $plural = ($val > 1) ? "s" : "";
               print "         $method: $val time$plural\n";
            }
         } else {
            my $val = (values %{$Users{$user}{$ip}})[0];
            my $plural = ($val > 1) ? "s" : "";
            print "      $name: $val time$plural\n";
         }
      }
   }
}



i wanted to be able parse out when someone was trying to attack my router from when someone legitimately logged in and also to log all those IP's aswell as log all the DHCP leases since I needed to use WEP128 instead of WPA due to some WDS issues. Just incase some one was attempting to steal bandwidth.

the following is normal output from the syslogd on the router:
Code:
May 12 21:31:33 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.160 00:14:bf:25:33:79
May 12 21:31:34 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.160 00:14:bf:25:33:79
May 12 21:40:55 192.168.1.1 -- MARK --
May 12 21:40:55 192.168.1.1 -- MARK --
May 12 21:41:00 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.165 00:0f:66:77:10:cb
May 12 21:41:00 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.165 00:0f:66:77:10:cb MadHatter
May 12 21:41:51 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.150 00:14:bf:bd:4d:af
May 12 21:41:51 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.150 00:14:bf:bd:4d:af Kuma
May 12 21:46:37 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.186 00:14:a5:20:d8:a9
May 12 21:46:37 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.186 00:14:a5:20:d8:a9 Annie
May 12 21:47:22 192.168.1.1 dropbear[1080]: Child connection from 202.111.175.116:59632
May 12 21:47:22 192.168.1.1 dropbear[1080]: exit before auth: Failed to get remote version
May 12 21:50:27 192.168.1.1 dropbear[1081]: Child connection from 202.111.175.116:45822
May 12 21:50:31 192.168.1.1 dropbear[1081]: login attempt for nonexistent user from 202.111.175.116:45822
May 12 21:50:33 192.168.1.1 dropbear[1081]: exit before auth: Disconnect received
May 12 21:50:33 192.168.1.1 dropbear[1082]: Child connection from 202.111.175.116:46017
May 12 21:50:36 192.168.1.1 dropbear[1082]: login attempt for nonexistent user from 202.111.175.116:46017
May 12 21:50:36 192.168.1.1 dropbear[1083]: Child connection from 202.111.175.116:46346
May 12 21:50:37 192.168.1.1 dropbear[1082]: exit before auth: Disconnect received
May 12 21:50:38 192.168.1.1 dropbear[1084]: Child connection from 202.111.175.116:46441
May 12 21:50:40 192.168.1.1 dropbear[1083]: bad password attempt for 'root' from 202.111.175.116:46346
May 12 21:50:41 192.168.1.1 dropbear[1083]: exit before auth (user 'root', 1 fails): Disconnect received
May 12 21:50:41 192.168.1.1 dropbear[1084]: login attempt for nonexistent user from 202.111.175.116:46441
May 12 21:50:41 192.168.1.1 dropbear[1085]: Child connection from 202.111.175.116:46737
May 12 21:50:42 192.168.1.1 dropbear[1084]: exit before auth: Disconnect received
May 12 21:50:42 192.168.1.1 dropbear[1086]: Child connection from 202.111.175.116:46882
May 12 21:50:44 192.168.1.1 dropbear[1087]: Child connection from 202.111.175.116:47249
May 12 21:50:44 192.168.1.1 dropbear[1085]: bad password attempt for 'root' from 202.111.175.116:46737
May 12 21:50:45 192.168.1.1 dropbear[1085]: exit before auth (user 'root', 1 fails): Disconnect received
May 12 21:50:46 192.168.1.1 dropbear[1088]: Child connection from 202.111.175.116:47350
May 12 21:50:46 192.168.1.1 dropbear[1086]: login attempt for nonexistent user from 202.111.175.116:46882
May 12 21:50:47 192.168.1.1 dropbear[1086]: exit before auth: Exited normally
May 12 21:50:47 192.168.1.1 dropbear[1087]: exit before auth: Exited normally
May 12 21:50:48 192.168.1.1 dropbear[1088]: exit before auth: Exited normally
May 12 22:00:55 192.168.1.1 -- MARK --
May 12 22:00:55 192.168.1.1 -- MARK --
May 12 22:03:23 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.108 00:11:24:79:2c:8c
May 12 22:03:23 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.108 00:11:24:79:2c:8c Atlantis
May 12 22:20:55 192.168.1.1 -- MARK --
May 12 22:20:55 192.168.1.1 -- MARK --
May 12 22:24:27 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.228 00:12:17:86:66:a6
May 12 22:24:27 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.228 00:12:17:86:66:a6 Yuuzhan
May 12 22:38:35 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.104 00:09:5b:0a:2f:02
May 12 22:38:35 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.104 00:09:5b:0a:2f:02 linux
May 12 22:40:55 192.168.1.1 -- MARK --
May 12 22:40:56 192.168.1.1 -- MARK --
May 12 23:00:56 192.168.1.1 -- MARK --
May 12 23:00:56 192.168.1.1 -- MARK --
May 12 23:20:56 192.168.1.1 -- MARK --
May 12 23:20:56 192.168.1.1 -- MARK --
May 12 23:40:56 192.168.1.1 -- MARK --
May 12 23:40:56 192.168.1.1 -- MARK --
May 13 00:00:56 192.168.1.1 -- MARK --
May 13 00:00:56 192.168.1.1 -- MARK --
May 13 00:20:56 192.168.1.1 -- MARK --
May 13 00:20:56 192.168.1.1 -- MARK --
May 13 00:35:10 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.213 00:10:b5:0f:5b:ba
May 13 00:35:10 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.213 00:10:b5:0f:5b:ba compaq400
May 13 00:36:55 192.168.1.1 dropbear[1089]: Child connection from 192.168.1.228:3254
May 13 00:37:02 192.168.1.1 dropbear[1089]: password auth succeeded for 'root' from 192.168.1.228:3254
May 13 00:37:41 192.168.1.1 dropbear[1089]: exit after auth (root): Exited normally
May 13 00:37:51 192.168.1.1 dropbear[1093]: Child connection from 192.168.1.228:3256
May 13 00:37:56 192.168.1.1 dropbear[1093]: password auth succeeded for 'root' from 192.168.1.228:3256
May 13 00:39:47 192.168.1.1 dropbear[1093]: exit after auth (root): Exited normally
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum