LinuxSoft


Logcheck ˴ؤܸ

Logcheck äƲ

Logcheck syslog νϤ /var/log/messages security Υեƻ뤷꤬ΤƤ褦ʥƥǤ륷ƥȤ LogWatch? 󤲤ޤLogWatch? Ϥ٥ϤƸ䤹äƤޤLogcheck ξʬषäƤΤħǤ٥ɤΤƤ桦ԸΥƥġȤ⤤Ǥ礦

٤Ƚ̤ʤŪΤǤΥե PortSentry Ϣưư褦߷פƤޤPortSentry ΥȤưޤˡ碌ƳƤߤƤǡǤ礦

ץ򥤥󥹥ȡ뤷Ȥ cron Ͽơ֤˼¹Ԥ侩ƤޤLogWatch? Snort ٤Ƥޤޤ˥ͥåȥ䥵зƤԤˤȤäƤϣΥݡȤ⡢ûֳ֤Ū˰۾郎ʤ𤷤Ƥۤפʾ⤢Ǥ礦ʻΥ塼*1 Logcheck + PortSentry ȤȤ߹碌Ǥ

Common Public License, GNU General Public License (GPL)

GPL ̵ǻȤȤǤޤԤ˴դǤ

Logcheck Υ󥹥ȡ

󥹥ȡоݤ Red Hat Linux 7.3 ǹԤޤRed Hat ǥȥӥ塼Ʊͤ˥åȥåפǤȻפޤ

ޤϥ֤μŸǥ쥯ȥΰưǤ

$ cd /usr/local/src
$ wget http://jaist.dl.sourceforge.net/sourceforge/sentrytools/logcheck-1.1.1.tar.gz
$ tar xfz logcheck-1.1.1.tar.gz
$ cd logcheck-1.1.1
# make linux   root 桼¤

ʾǥ󥹥ȡȤϽǤ

եԽơϾΥ᡼ꤷޤ

# vi /usr/local/etc/logcheck.sh

42 ܤǥ᡼ꤷޤ֤ root Ǥ

# Person to send log activity to.
SYSADMIN=root

Τ褦˥᡼륢ɥ쥹ꤹ뤳Ȥޤ

SYSADMIN=zem@pocketstudio.jp

˥եξγǧǤ168 ܤ򸫤Ƥߤޤ

# Linux Red Hat Version 3.x, 4.x
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$

Red Hat Ͼ嵭Υեꤢޤ󡣼ʬǤΤۤΥեˤϤƤ $LOGTAIL ȤƱͤιԤ񤱤дƻоݤ˴ޤ뤳Ȥޤɸξä˼äɬפϤʤǤ礦

ưƥȤǤroot ¤ǥե¹Ԥޤ

# /usr/local/etc/logcheck.sh

¹ԤƤä˥åǤƤʤꤢޤ󡣤λoffset*2 Ȥ̾Υե뤬 /var/log ۲˺Ƥ뤫Ĵ٤ޤ

$ ls -al /var/log/*.offset
-rw-------    1 root     root           11 Jul 25 17:39 /var/log/maillog.offset
-rw-------    1 root     root           13 Jul 25 17:39 /var/log/messages.offset
-rw-------    1 root     root           11 Jul 25 17:39 /var/log/secure.offset

ե뤬ƤΤǡ꤬ʤʬޤ⤷Ƥʤäե뤬äƤǽޤ

ʤޥɼ¹Ի˥᡼뤬ޤ

̾ΥåΤߤǤ

Subject: nsx.pocketstudio.jp 07/25/05:17.31 system check

Τ褦ʥƥå򤷤ޤ衢Ȥ̾Ǥ

⤷ȸ

Subject: nsx.pocketstudio.jp 07/25/05:17.41 ACTIVE SYSTEM ATTACK!

Τ褦̾ѤꡢʸǤ־ȤʤŦޤ

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jul 24 21:20:27 nsx portsentry[25316]: attackalert: Connect from host:
 sv.pocketstudio.jp/210.239.46.254 to TCP port: 111
Jul 24 21:20:27 nsx portsentry[25316]: attackalert: Host 210.239.46.254 has
 been blocked via wrappers with string: "ALL: 210.239.46.254"
Jul 24 21:20:27 nsx portsentry[25316]: attackalert: Host 210.239.46.254 has
been blocked via dropped route using command: "/sbin/iptables -I INPUT -s
 210.239.46.254 -j DROP"

Ǹ cron Ǽư¹Ԥ褦ˤޤ

# vi /etc/crontab

cron ե򳫤ʲΤ褦˵Ҥȣ֤ˣȤʤޤ

# 00 * * * * root /bin/sh /usr/local/etc/logcheck.sh > /dev/null 2>&1

Ǥ䡢ȤϼΤ褦ˤƤ

# 00 00 * * * root /bin/sh /usr/local/etc/logcheck.sh > /dev/null 2>&1

ȿǤ뤿 crond κƵưԤޤ

# /sbin/service crond restart
Stopping crond:                                            [  OK  ]
Starting crond:                                            [  OK  ]

եξܺ٤ưˤĤƤϥɥȤ

Logcheck ܸɥ


*1 ˡΤ
*2 եå

ȥå   Խ ʬ Хåå ź ʣ ̾ѹ   ñ측 ǽ   إ   ǽRSS
Last-modified: Sun, 17 Dec 2006 12:23:55 JST (5031d)