If, like me, you want to know who's been banned from your server as they try to log on many too times, but you don't want an email every time BFD blocks them, then you'll want to add the BFD log to logwatch.
On 64bit CentOS 4.2 with the default logwatch installation, setting this up is really a matter of copying 3 files to the right places. Other distros may be slightly different.
All the following go in the /etc/log.d/ directory
File 1: conf/logfiles/bfd.conf
File 2: conf/services/bfd.conf
File 3: scripts/services/bfd
As an extra, you can edit the scripts/services/sshd file to collate all the failed sshd login failures. On CentOS 4.2, I had to do this because the line I was getting ("invalid user" and the default logwatch script only parsed "illegal user")(or the other way round)
Find the following elsif entry for Failed logins and edit it to look as follows
After all this, you should see the entries like this in your logwatch emails.
You can test this by manually running logwatch and sending the output to a file (I think logwatch --range today --save xxx)
On 64bit CentOS 4.2 with the default logwatch installation, setting this up is really a matter of copying 3 files to the right places. Other distros may be slightly different.
All the following go in the /etc/log.d/ directory
File 1: conf/logfiles/bfd.conf
Code:
# Which logfile group...
LogFile = /var/log/bfd_log
Archive = /var/log/bfd_log.*File 2: conf/services/bfd.conf
Code:
Title = "BFD"
# Which logfile group...
LogFile = bfd
#*RemoveHeaders =
*ApplyStdDate =File 3: scripts/services/bfd
Code:
#!/usr/bin/perl -w
$Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
if ( $Debug >= 5 ) {
print STDERR "\n\nDEBUG: Inside BFD Filter \n\n";
$DebugCounter = 1;
}
while (defined($ThisLine = <STDIN>)) {
if ( $Debug >= 5 ) {
print STDERR "DEBUG($DebugCounter): $ThisLine";
$DebugCounter++;
}
$ThisLine =~ s/^[^ ]* [^ ]* //;
if ( $ThisLine =~ s/.*apf \-d ([^ ]+).*\{([^\}]+).*/$1 : \($2\)/ ) {
$Banned{$ThisLine}++;
} else {
# Report any unmatched entries...
push @OtherList,$ThisLine;
}
}
if (keys %Banned) {
print "\nBanned:\n";
foreach $ThisOne (keys %Banned) {
print " ". $ThisOne;
}
}
if ($#OtherList >= 0) {
print "\n**Unmatched Entries**\n";
print @OtherList;
}
exit(0);As an extra, you can edit the scripts/services/sshd file to collate all the failed sshd login failures. On CentOS 4.2, I had to do this because the line I was getting ("invalid user" and the default logwatch script only parsed "illegal user")(or the other way round)
Find the following elsif entry for Failed logins and edit it to look as follows
Code:
} elsif ( $ThisLine =~ m/^Failed (\S+) for (illegal|invalid) user (.*)
from ([^ ]+) port (\d+)/ ) { #openssh
$Temp = "[various] from $4";
# $Temp = "$3/$1 from $4"; -- the existing entry in my logwatch file
$BadLogins{$Temp}++;
$IllegalUsers{$Temp}++;After all this, you should see the entries like this in your logwatch emails.
Code:
--------------------- BFD Begin ------------------------
Banned:
211.100.33.230 : (bfd.sshd)
84.244.10.218 : (bfd.sshd)
---------------------- BFD End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from these:
[various] from ::ffff:211.100.33.230: 44 Time(s)
[various] from ::ffff:84.244.10.218: 4 Time(s)
admin/password from ::ffff:211.100.33.230: 1 Time(s)
ftp/password from ::ffff:211.100.33.230: 5 Time(s)
mail/password from ::ffff:211.100.33.230: 4 Time(s)
mysql/password from ::ffff:211.100.33.230: 3 Time(s)
root/password from ::ffff:84.244.10.218: 37 Time(s)
Illegal users from these:
[various] from ::ffff:211.100.33.230: 88 Time(s)
[various] from ::ffff:84.244.10.218: 8 Time(s)
---------------------- SSHD End -------------------------You can test this by manually running logwatch and sending the output to a file (I think logwatch --range today --save xxx)