O Logwatch é uma ferramenta para monitorar os arquivos de log do seu sistema. Este programa requer um servidor de e-mail em funcionamento em sua rede para enviar os logs por e-mail para você. Se desejar alterar o arquivo .conf, você precisa abrir /usr/share/logwatch/default.conf/logwatch.conf e consultar a linha onde se lê MailTo. Altere user.name.domain.tld para o seu endereço de e-mail.
# apt-get install logwatch
Vamos configurar uma linha para enviar por email o relatório do logwatch.
# nano /etc/cron.daily/00logwatch
#!/bin/bash
#Check if removed-but-not-purged
test -x /usr/share/logwatch/scripts/logwatch.pl || exit 0
#execute
# /usr/sbin/logwatch --output mail
#Note: It's possible to force the recipient in above command
#Just pass --mailto address@a.com instead of --output mail
/usr/sbin/logwatch --mailto jurandir@juralinux.com.br
#---[ end: 00logwatch ]-------------------------------------------------
ctrl + x + y + enter ( para salvar e sair do arquivo )
Outra forma: no terminal poderemos enviar o relatório teste como o comando abaixo:
# logwatch --mailto jurandir@juralinux.com.br
Arquivos de configuração para aparecer no log do logwatch.
# cd /usr/share/logwatch/default.conf/services
# ls –lh
total 384K
-rw-r--r-- 1 root root 731 2005-06-08 09:19 afpd.conf
-rw-r--r-- 1 root root 2.7K 2009-09-06 07:46 amavis.conf
-rw-r--r-- 1 root root 744 2005-02-24 12:05 arpwatch.conf
-rw-r--r-- 1 root root 1.2K 2009-09-06 07:46 audit.conf
-rw-r--r-- 1 root root 1.1K 2005-02-24 12:05 automount.conf
-rw-r--r-- 1 root root 923 2005-02-24 12:05 autorpm.conf
-rw-r--r-- 1 root root 528 2007-08-27 20:41 barracuda.conf
-rw-r--r-- 1 root root 499 2007-04-15 15:48 bfd.conf
-rw-r--r-- 1 root root 918 2005-02-24 12:05 cisco.conf
-rw-r--r-- 1 root root 453 2009-09-06 07:46 clamav.conf
-rw-r--r-- 1 root root 571 2009-09-06 07:46 clamav-milter.conf
-rw-r--r-- 1 root root 1.9K 2005-11-01 05:05 clam-update.conf
-rw-r--r-- 1 root root 1.8K 2005-04-23 07:34 courier.conf
-rw-r--r-- 1 root root 914 2005-02-24 12:05 cron.conf
-rw-r--r-- 1 root root 481 2006-11-12 13:32 denyhosts.conf
-rw-r--r-- 1 root root 1010 2005-02-24 12:05 dhcpd.conf
-rw-r--r-- 1 root root 2.7K 2005-10-19 01:57 dnssec.conf
-rw-r--r-- 1 root root 1.5K 2011-11-02 19:08 dovecot.conf
-rw-r--r-- 1 root root 831 2006-12-14 23:39 dpkg.conf
-rw-r--r-- 1 root root 694 2005-02-24 12:06 emerge.conf
-rw-r--r-- 1 root root 1.1K 2007-04-28 18:50 evtapplication.conf
-rw-r--r-- 1 root root 1.1K 2007-04-28 18:50 evtsecurity.conf
-rw-r--r-- 1 root root 1.1K 2007-04-28 18:50 evtsystem.conf
-rw-r--r-- 1 root root 1005 2005-02-24 12:05 exim.conf
-rw-r--r-- 1 root root 1.2K 2006-02-22 14:23 eximstats.conf
-rw-r--r-- 1 root root 951 2005-02-24 12:05 extreme-networks.conf
-rw-r--r-- 1 root root 831 2006-05-30 15:04 fail2ban.conf
-rw-r--r-- 1 root root 1.1K 2005-02-24 12:05 ftpd-messages.conf
-rw-r--r-- 1 root root 1017 2005-02-24 12:05 ftpd-xferlog.conf
-rw-r--r-- 1 root root 2.7K 2009-09-06 07:46 http.conf
-rw-r--r-- 1 root root 1003 2005-02-24 12:05 identd.conf
-rw-r--r-- 1 root root 906 2006-03-30 02:42 imapd.conf
-rw-r--r-- 1 root root 1006 2005-02-24 12:05 init.conf
-rw-r--r-- 1 root root 1.1K 2005-02-24 12:05 in.qpopper.conf
-rw-r--r-- 1 root root 899 2005-02-24 12:05 ipop3d.conf
-rw-r--r-- 1 root root 1.5K 2009-09-06 07:46 iptables.conf
-rw-r--r-- 1 root root 1.1K 2006-03-30 02:42 kernel.conf
-rw-r--r-- 1 root root 1.1K 2006-03-30 02:42 mailscanner.conf
-rw-r--r-- 1 root root 1023 2005-02-24 12:05 modprobe.conf
-rw-r--r-- 1 root root 1014 2005-02-24 12:05 mountd.conf
-rw-r--r-- 1 root root 1.3K 2011-11-02 19:07 named.conf
-rw-r--r-- 1 root root 923 2005-02-24 12:06 netopia.conf
-rw-r--r-- 1 root root 930 2005-02-24 12:05 netscreen.conf
-rw-r--r-- 1 root root 744 2005-02-24 12:05 oidentd.conf
-rw-r--r-- 1 root root 749 2005-02-24 12:05 openvpn.conf
-rw-r--r-- 1 root root 1002 2005-02-24 12:05 pam.conf
-rw-r--r-- 1 root root 1023 2005-02-24 12:05 pam_pwdb.conf
-rw-r--r-- 1 root root 943 2005-02-24 12:05 pam_unix.conf
-rw-r--r-- 1 root root 881 2006-11-12 13:28 php.conf
-rw-r--r-- 1 root root 469 2006-12-19 23:37 pix.conf
-rw-r--r-- 1 root root 351 2005-02-24 12:05 pluto.conf
-rw-r--r-- 1 root root 933 2005-02-24 12:05 pop3.conf
-rw-r--r-- 1 root root 1.1K 2005-02-24 12:05 portsentry.conf
-rw-r--r-- 1 root root 11K 2011-11-02 19:09 postfix.conf
-rw-r--r-- 1 root root 1.1K 2005-06-08 09:19 pound.conf
-rw-r--r-- 1 root root 1.2K 2009-09-06 07:46 proftpd-messages.conf
-rw-r--r-- 1 root root 1017 2005-02-24 12:05 pureftpd.conf
-rw-r--r-- 1 root root 1.9K 2005-02-24 12:05 qmail.conf
-rw-r--r-- 1 root root 1.9K 2005-09-06 20:37 qmail-pop3d.conf
-rw-r--r-- 1 root root 1.9K 2005-09-06 20:37 qmail-pop3ds.conf
-rw-r--r-- 1 root root 2.1K 2005-09-06 20:37 qmail-send.conf
-rw-r--r-- 1 root root 3.9K 2009-09-06 07:46 qmail-smtpd.conf
-rw-r--r-- 1 root root 170 2005-06-08 09:19 raid.conf
-rw-r--r-- 1 root root 2.7K 2005-10-19 01:57 resolver.conf
-rw-r--r-- 1 root root 277 2005-02-24 12:05 rt314.conf
-rw-r--r-- 1 root root 917 2005-02-24 12:05 samba.conf
-rw-r--r-- 1 root root 978 2005-02-24 12:05 saslauthd.conf
-rw-r--r-- 1 root root 1.1K 2005-05-21 19:11 scsi.conf
-rw-r--r-- 1 root root 1.6K 2009-09-06 07:46 secure.conf
-rw-r--r-- 1 root root 6.6K 2006-03-30 02:42 sendmail.conf
-rw-r--r-- 1 root root 1.4K 2006-03-30 02:42 sendmail-largeboxes.conf
-rw-r--r-- 1 root root 746 2005-02-24 12:05 shaperd.conf
-rw-r--r-- 1 root root 1.3K 2005-11-01 05:05 slon.conf
-rw-r--r-- 1 root root 738 2005-02-24 12:05 smartd.conf
-rw-r--r-- 1 root root 1000 2006-03-30 02:42 sonicwall.conf
-rw-r--r-- 1 root root 278 2008-05-11 18:00 spamassassin.conf
-rw-r--r-- 1 root root 1010 2005-02-24 12:05 sshd2.conf
-rw-r--r-- 1 root root 1.9K 2009-09-06 07:46 sshd.conf
-rw-r--r-- 1 root root 683 2005-02-24 12:05 stunnel.conf
-rw-r--r-- 1 root root 1.2K 2009-09-06 07:46 sudo.conf
-rw-r--r-- 1 root root 1019 2005-02-24 12:05 syslogd.conf
-rw-r--r-- 1 root root 619 2005-02-24 12:05 tac_acc.conf
-rw-r--r-- 1 root root 931 2005-02-24 12:05 up2date.conf
-rw-r--r-- 1 root root 810 2005-02-24 12:05 vpopmail.conf
-rw-r--r-- 1 root root 757 2005-02-24 12:05 vsftpd.conf
-rw-r--r-- 1 root root 1.2K 2006-03-22 12:46 windows.conf
-rw-r--r-- 1 root root 1.1K 2005-02-24 12:05 xntpd.conf
-rw-r--r-- 1 root root 87 2005-02-24 12:05 yum.conf
-rw-r--r-- 1 root root 1.8K 2009-09-06 07:46 zz-disk_space.conf
-rw-r--r-- 1 root root 983 2005-02-24 12:05 zz-fortune.conf
-rw-r--r-- 1 root root 1.2K 2006-03-30 02:42 zz-network.conf
-rw-r--r-- 1 root root 738 2007-04-28 19:47 zz-runtime.conf
-rw-r--r-- 1 root root 1006 2006-02-19 18:12 zz-sys.conf
Todos os dias as 23 h será enviado para o email programado um relatório do logwatch.
# cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
00 23 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
00 23 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
00 00 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
Monitorando “bind - dns” ( logwatch )
# nano /usr/share/logwatch/default.conf/services/named.conf
#---[ begin: named.conf ]------------------------------------------------
#########################################
# $Id: named.conf,v 1.10 2005/02/24 17:05:20 kirk Exp $
#########################################
# this is in the format of <name> = <value>. Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case *insensitive*.
# Yes = True = On = 1
# No = False = Off = 0
Title = "Named"
# Which logfile group...
#--- comentar linha abaixo----------------
# LogFile = messages
# A alteracao abaixo Server para listar os logs no arquivo do logwatch
LogFile = bind9-query.log
#-----------------------------------------
# Whether or not to lookup the IPs into hostnames...
# Setting this to Yes will significantly increase runtime
$named_ip_lookup = No
# Only give lines pertaining to the named service...
*OnlyService = named
*RemoveHeaders
# vi: shiftwidth=3 tabstop=3 et
#---[ end: named.conf ]-------------------------------------------------------
ctrl + x + y + enter ( para salvar e sair do arquivo )
Monitorando “autentição emails” ( logwatch )
Precisaremos alterar uma linha no arquivo de configuração do programa de emails para monitorar as tentativas de logins ( de ataque ).
# nano /etc/dovecot/dovecot.conf
#---[ begin: dovecot.conf ]-----------------------------------------------
protocols = pop3 imap
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:/home/mail/%d/%n/Maildir
disable_plaintext_auth = no
mail_debug = yes
# A opção abaixo deve estar com “Yes” para gravar as tentativas de logins
auth_debug = yes
:
Continua o resto do código ...
:
:
ctrl + x + y + enter ( para salvar e sair do arquivo )
Visualizado os ips que tentaram ou estão tentando atacar nosso servidor.
# grep SSH /var/log/syslog | awk '{print $11}' | cut -d'=' -f2 | sort | uniq -c
2 103.3.78.2
1625 187.55.194.32 ( este ip tentou atacar 1.625 !!! )
1 61.147.103.174
72 72.46.159.205
1 82.207.130.163
----------------------------------------------------------------------------
Exemplo de relatório do logwatch.
########## Logwatch 7.3.6 (05/19/07) ############
Processing Initiated: Wed Nov 2 23:30:03 2011
Date Range Processed: yesterday
( 2011-Nov-01 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: mail / text
Logfiles for Host: mail
#######################################
--------------------- Amavisd-new Begin ------------------------
172 messages checked and passed.
---------------------- Amavisd-new End -------------------------
--------------------- clam-update Begin ------------------------
Last ClamAV update process started at Tue Nov 1 23:01:33 2011
Last Status:
main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
daily.cld is up to date (version: 13878, sigs: 21345, f-level: 60, builder: ccordes)
bytecode.cld is up to date (version: 152, sigs: 38, f-level: 60, builder: edwin)
Received signal: wake up
---------------------- clam-update End -------------------------
--------------------- httpd Begin --------------------------------
Requests with error response codes
404 Not Found
/din.aspx?s=00000000&id=0&client=DynGate&p=10000001: 1 Time(s)
---------------------- httpd End ---------------------------
--------------------- Named Begin ------------------------
Received control channel commands
reconfig: 98 Time(s)
**Unmatched Entries**
DNS format error from 207.19.96.22#53 resolving crl.entrust.net/AAAA for client 127.0.0.1 invalid response: 1 Time(s)
DNS format error from 208.16.208.26#53 resolving crl.entrust.net/AAAA for client 127.0.0.1 invalid response: 1 Time(s)
DNS format error from 74.86.246.249#53 resolving static.avast.com/AAAA for client 127.0.0.1 invalid response: 1 Time(s)
DNS format error from 74.86.246.249#53 resolving www.avast.com/AAAA for client 127.0.0.1 invalid response: 1 Time(s)
DNS format error from 77.72.113.10#53 resolving bbc01.sitestat.com/AAAA for client 127.0.0.1 invalid response: 1 Time(s)
DNS format error from 91.213.143.84#53 resolving static.avast.com/AAAA for client 127.0.0.1 invalid response: 1 Time(s)
DNS format error from 91.213.143.84#53 resolving www.avast.com/AAAA for client 127.0.0.1 invalid response: 1 Time(s)
DNS format error from 91.213.143.85#53 resolving static.avast.com/AAAA for client 127.0.0.1 invalid response: 1 Time(s)
DNS format error from 91.213.143.85#53 resolving www.avast.com/AAAA for client 127.0.0.1 invalid response: 1 Time(s)
any newly configured zones are now loaded: 98 Time(s)
reading built-in trusted keys from file '/etc/bind/bind.keys': 98 Time(s)
success resolving './NS' (in '.'?) after disabling EDNS: 1 Time(s)
success resolving '114.1.168.192.in-addr.arpa/PTR' (in '168.192.in-addr.arpa'?) after disabling EDNS: 1 Time(s)
success resolving '254.1.168.192.in-addr.arpa/PTR' (in '168.192.in-addr.arpa'?) after disabling EDNS: 1 Time(s)
success resolving '30.1.168.192.in-addr.arpa/PTR' (in '168.192.in-addr.arpa'?) after reducing the advertised EDNS UDP packet size to 512 octets: 1 Time(s)
success resolving 'a1015.d.akamai.net/A' (in 'd.akamai.net'?) after disabling EDNS: 1 Time(s)
success resolving 'ac-sa.quantserve.com.akadns.net/AAAA' (in 'akadns.net'?) after reducing the advertised EDNS UDP packet size to 512 octets: 1 Time(s)
success resolving 'current.cvd.clamav.net/TXT' (in 'clamav.net'?) after disabling EDNS: 1 Time(s)
success resolving 'dynupdate.no-ip.com/A' (in 'no-ip.com'?) after reducing
'gateway.messenger.hotmail.sn1.nc.messenger.msn.com.nsatc.net/A' (in 'nsatc.net'?) after reducing the advertised EDNS UDP packet size to 512 octets: 1 Time(s)
success resolving 'ha2.filestube.com/A' (in 'filestube.com'?) after reducing the advertised EDNS UDP packet size to 512 octets: 1 Time(s)
success resolving 'lb1.www.ms.akadns.net/AAAA' (in 'akadns.net'?) after reducing the advertised EDNS UDP packet size to 512 octets: 1 Time(s)
success resolving 'my.co1.cb3.glbdns.microsoft.com/A' (in 'glbdns.microsoft.com'?) after disabling EDNS: 1 Time(s)
success resolving 'newncsi.glbdns.microsoft.com/A' (in 'glbdns.microsoft.com'?) after disabling EDNS: 1 Time(s)
success resolving 'ns.montezuma.spb.ru/A' (in 'montezuma.spb.ru'?) after reducing the advertised EDNS UDP packet size to 512 octets: 1 Time(s)
success resolving 'ns.second-ns.com/A' (in 'second-ns.com'?) after reducing the advertised EDNS UDP packet size to 512 octets: 1 Time(s)
success resolving 'ns21.x2-network.com/A' (in 'x2-network.com'?) after reducing the advertised EDNS UDP packet size to 512 octets: 1 Time(s)
success resolving 'ns22.x2-network.com/A' (in 'x2-network.com'?) after
success resolving 'secure.base.wlxrs.com.akadns.net/A' (in 'akadns.net'?) after reducing the advertised EDNS UDP packet size to 512 octets: 1 Time(s)
success resolving 'www.brasildowns.com.br/A' (in 'brasildowns.com.br'?) after disabling EDNS: 1 Time(s)
the working directory is not writable: 98 Time(s)
using default UDP/IPv4 port range: [1024, 65535]: 98 Time(s)
using default UDP/IPv6 port range: [1024, 65535]: 98 Time(s)
---------------------- Named End -------------------------
--------------------- pam_unix Begin ---------------------
proftpd:
Unknown Entries:
session closed for user jurandir: 5 Time(s)
session opened for user jurandir by (uid=0): 5 Time(s)
sshd:
Authentication Failures:
root (182.18.4.85): 14 Time(s)
unknown (182.18.4.85): 8 Time(s)
backup (182.18.4.85): 1 Time(s)
root (187.5.148.47): 1 Time(s)
Invalid Users:
Unknown Account: 8 Time(s)
su:
Sessions Opened:
root -> root: 6 Time(s)
root -> amavis: 1 Time(s)
---------------------- pam_unix End -------------------------
--------------------- proftpd-messages Begin ------------------------
**Unmatched Entries**
pam_unix(proftpd:session): session opened for user jurandir by (uid=0)
pam_unix(proftpd:session): session opened for user jurandir by (uid=0)
pam_unix(proftpd:session): session closed for user jurandir
pam_unix(proftpd:session): session opened for user jurandir by (uid=0)
pam_unix(proftpd:session): session opened for user jurandir by (uid=0)
pam_unix(proftpd:session): session closed for user jurandir
pam_unix(proftpd:session): session closed for user jurandir
pam_unix(proftpd:session): session closed for user jurandir
pam_unix(proftpd:session): session opened for user jurandir by (uid=0)
pam_unix(proftpd:session): session closed for user jurandir
---------------------- proftpd-messages End -------------------------
--------------------- SSHD Begin ------------------------
Illegal users from:
182.18.4.85: 24 times
187.5.148.47: 2 times
192.168.1.100: 3 times
192.168.1.123: 1 time
Login attempted when not in AllowUsers list:
backup : 1 Time(s)
root : 19 Time(s)
Users logging in through sshd:
ewb:
192.168.1.100: 3 times
187.5.148.47: 2 times
192.168.1.123: 1 time
---------------------- SSHD End -------------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 111G 2.0G 103G 2% /
/dev/sda7 175G 20G 146G 13% /home
/dev/sda6 152G 3.2G 141G 3% /var
---------------------- Disk Space End -------------------------
########### Logwatch End ####################
------------------------------------------------------------------------------------------------------------------------
===[ Sharing Knowledge ]=== - Obrigado - Thank you - Danke - Merci - Grazie - Gracias - arigatou gozaimasu
“We make a living by what we get, but we make a life by what we give.” - Give and you will receive - just share :)
------------------------------------------------------------------------------------------------------------------------
“We make a living by what we get, but we make a life by what we give.” - Give and you will receive - just share :)
------------------------------------------------------------------------------------------------------------------------
Nenhum comentário:
Postar um comentário