/usr/share/logwatch/scripts/services の下に, サービス毎 (Postfix, sshd など) のログ処理スクリプトが格納されている.
このファイルをそのまま編集するのではなく, このファイルを /etc/logwatch/scripts/services にコピーして編集すると良いらしい. たとえば,
User root from xx.xx.xx.xx not allowed because not listed in AllowUsers : 3 time(s) reverse mapping checking getaddrinfo for example.com failed - POSSIBLE BREAK-IN ATTEMPT! : 1 time(s)というログが大量に報告されて鬱陶しい. この場合, 以下のようにする.
sudo cp -i /usr/share/logwatch/scripts/services/sshd /etc/logwatch/scripts/services/ sudoedit /etc/logwatch/scripts/services/sshd以下のように,
Ignore these に入る条件に追記する.
$ diff -u /usr/share/logwatch/scripts/services/sshd ./sshd
--- /usr/share/logwatch/scripts/services/sshd 2012-08-29 20:28:55.000000000 +0900
+++ ./sshd 2014-12-24 15:54:16.000000000 +0900
@@ -211,7 +211,9 @@
# failed login entry...
($ThisLine =~ /^input_userauth_request: (illegal|invalid) user (.*)$/ ) or
($ThisLine =~ m/^(Illegal|Invalid) user (.*) from ([^ ]+)/ ) or
- ($ThisLine =~ /pam_krb5: authentication succeeds for `([^ ]*)'/)
+ ($ThisLine =~ /pam_krb5: authentication succeeds for `([^ ]*)'/) or
+ ($ThisLine =~ /User .* from .* not allowed because not listed in AllowUsers/) or
+ ($ThisLine =~ /reverse mapping checking getaddrinfo for .* failed - POSSIBLE BREAK-IN ATTEMPT/)
) {
# Ignore these
} elsif ( my ($Method,$User,$Host,$Port) = ($ThisLine =~ /^Accepted (\S+) for (\S+) from ([\d\.:a-f]+) port (\d+)/) ) {
0 件のコメント:
コメントを投稿