<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello everyone,<br>
<br>
I have an issue with syslog-ng (detailed below) and I tend to
incline is related to syslog-ng, an I hope will find some answers
here.<br>
<br>
I set up a "solution" so that when someone fails to login to a ssh
linux server, I receive an email with info about that. The idea is
like this:<br>
Syslog-ng should look for any messages containing info about login
failures, and when it sees those messages, it should pass them to a
little script that emails them.<br>
<br>
Syslog-ng relevant config for that:<br>
filter f_ssh {program (sshd) and match("Failed password"
value("MESSAGE")); };<br>
destination d_sshalert { program("/home/cosmin/sshalert.sh"); };
#this is the script that is
sendind the emails<br>
destination d_sshfile { file("/home/cosmin/LOGS/sshdfailed.log"); };<br>
log { source(s_src); filter(f_ssh); destination(d_sshfile);};<br>
#log { source(s_src); filter(f_ssh); destination(d_sshalert);
flags(final); };<br>
log { source(s_src); filter(f_ssh); destination(d_sshalert);};<br>
<br>
And the script that is sending the emails:<br>
cosmin@srv:~$ cat sshalert.sh<br>
#!/bin/bash<br>
email=<a class="moz-txt-link-rfc2396E" href="mailto:someone@gmail.com">"someone@gmail.com"</a><br>
while read event;<br>
do<br>
echo -e "Subject:*** SSH failed attempt on domain.ro ***\nFrom:SSH
Watcher <a class="moz-txt-link-rfc2396E" href="mailto:admin@domain.ro"><admin@domain.ro></a>\<a class="moz-txt-link-abbreviated" href="mailto:nTo:someone@gmail.com\n\n#######">nTo:someone@gmail.com\n\n#######</a>
WARNING #######\n\nA failed SSH attempt has been
logged:\n${event}\n\n*** Required actions***\n1. Check ip owner and
location:\nEx: #curl ipinfo.io/X.Y.Z.T\n2. Ban the source IP address
in iptables.rules\n***********************\n\nFor any questions
contact: <a class="moz-txt-link-abbreviated" href="mailto:admin@domain.ro\nHave">admin@domain.ro\nHave</a> a nice day\n" | /usr/sbin/sendmail -f
<a class="moz-txt-link-abbreviated" href="mailto:admin@domain.ro">admin@domain.ro</a> ${email}<br>
done<br>
<br>
Everything is working as expected, I receive mails like this when
failed attempts exists:<br>
<pre wrap="">####### WARNING #######
A failed SSH attempt has been logged:
<b>Aug 6 15:49:47 srv sshd[18236]: Failed password for someone from 173.XX.220.XX port 59004 ssh2</b>
*** Required actions***
1. Check ip owner and location:
Ex: #curl ipinfo.io/X.Y.Z.T
2. Ban the source IP address in iptables.rules
***********************
For any questions contact: <a class="moz-txt-link-abbreviated" href="mailto:admin@alexinfo.ro">admin@domain.ro</a>
Have a nice day</pre>
<br>
Please not that the log inserted is the right one: Aug 6 15:49:47
srv sshd[18236]: Failed password for someone from 173.XX.220.XX port
59004 ssh2<br>
My problem is that form time to time (did not manage to discover a
time pattern), I also receive some strange mails like the following:<br>
<pre wrap="">####### WARNING #######
A failed SSH attempt has been logged:
<b>Aug 6 16:09:47 srv -- MARK --</b>
*** Required actions***
1. Check ip owner and location:
Ex: #curl ipinfo.io/X.Y.Z.T
2. Ban the source IP address in iptables.rules
***********************
For any questions contact: <a class="moz-txt-link-abbreviated" href="mailto:admin@alexinfo.ro">admin@domain.ro</a>
Have a nice day</pre>
<br>
As you can see, the log inserted in the mail is strange: <b>Aug 6
16:09:47 srv -- MARK --</b>. I assume that somehow, syslog-ng is
the one that is sending this log to my script which is why I
configured another destination to a local file to test my hypothesis
(d_sshfile) but the message is not inserted in that local file<br>
<br>
Now, my question for you is: is there a way to determine if
syslog-ng is the one responsible for sending that strange message
and why? Am I doing something wrong with syslog-ng config (maybe the
filter is not right?) <br>
Any help would be appreciated. Thanks<br>
<br>
<pre class="moz-signature" cols="72">--
Best Regards
Cosmin Neagu</pre>
</body>
</html>