Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I read the article ‘Watching your log files’ and have configured SWATCH on my syslog server. However, I am not getting any emails sent to me when I purposely type in a wrong password to connect via my ssh client.
At the bottom is my swatchrc file. Could my syntax be wrong? For example, instead of ‘mail addresses’ should it be ‘mail address’ or only ‘mail’? When I check my log files it tells me there was a failed login attempt, however, no email is sent to me. Once I created the swatchrc file I ran the command:
It tells me that swatch 3.0.4 has started…..although it doesn’t immediately go back to the root prompt. Is this normal? I have to press enter to get back to a root prompt….is that normal? I see the process running by typing ‘ps’ and then ‘ps –eaf’. When I type ‘exit’ at the root prompt to exit my ssh session it tells me that it is still connected and doesn’t log me out like it normally would, therefore, I force the disconnect by clicking on the X in the top right hand corner. Then when I log back in and type ‘ps’ I no longer see the processes of swatch and perl running. But when I type ‘ps –eaf’ I see the 2 processes running.
Sorry if this is confusing, if anyone needs clarification let me know. I am running SWATCH on redhat 7.2. I noticed that swatchrc file has slightly different syntax for UNIX and LINUX. Perhaps I am spelling something wrong or am missing an = sign or something? Does syslogd have to be restarted?
I appreciate your help.
SWATCHRC
# Bad login attempts
watchfor /failed/
echo bold
mail addresses=me@mycompany.com,subject=Failed Authentication
#Sniffing Attempts
watchfor /promiscuous/
echo bold
mail addresses=me@mycompany.com,subject=Someone is sniffing syslog server
# Kernel problems or system reboots
watchfor /panic|halt/
echo bold
mail addresses=me@mycompany.com,subject=System Panic, Halt or Reboot
I tried all of the above suggestions but to no avail. I still do not get directed to a root prompt after running the --daemon or nohup commands.
It may be that the additional perl modules which are needed are not installed properly. When I type rpm –q perl it comes back with perl 5.6.0 which is fine. However, I thought I had installed perl 5.8.0 but I must have done something wrong if it tells me that perl 5.6.0 is installed. This is not a big deal because SWATCH only requires perl 5 or greater. The reason I mention this is because I thought I also installed the additional 4 modules that SWATCH needs. But I have a hunch they to did not get installed. Can you tell me where exactly to install them (/usr/bin or /usr/bin/perl5.6.0)? Or does it matter? I installed these modules by running make, make test, make install. Is that correct? How can I verify that they are installed and the directory which they are installed in? I believe I did everything correct on the SWATCH end of things but I could be wrong. I have my swatchrc file in /var/log which should be fine I think. I also know I put a hidden swatchrc file right under root. This file is empty. Does this file also need to be the same as my swatchrc file in /var/log? Or do I need both of them? Could that be the problem?
This may sound silly -- but what flavor of linux are you using. When I fat-finger the login on my RH box, the log entry says "authentication failure" -- if yours does to, then it wouldn't pick up on "failed", as you have in the conf file you posted.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.