swatch log analyzer usage
ESGLinux
esggrupos at gmail.com
Mon May 10 16:54:43 UTC 2010
Hi All
I´m implemMenting the use of swatch to protect my server from brute force
attack.
I have configured the config file this way:
watchfor /Aborted login/
mail=xxxx at xxxx.com,Subject=Possible under attack!!!
throttle threshold=5,delay=0:1:0,key=log
this way I receive an email when the string Aborted login appears in my log.
I have setup a threshold of 5 tries on 1 minute. But it does not work fine.
I always get 2 mails: one the first time the string appears, and one when
the threshold is reached.
May 10 18:45:06 servere dovecot: imap-login: Aborted login:
user=<x<emiliano.sutil at xeridia.com>xxxx>,
method=PLAIN, rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, secured (threshold
5 exceeded)
I only want to receive the second one, because is the mail that can be
considered an attack, (the first one can be a simple failure)
So, anyone knows how to configure swatch this way.
By the way, is there any other tool to do what I want ? I don´t mind to
change, (perhaps, RHEL has a package that does the same....)
Thanks in advance,
ESG
More information about the redhat-list
mailing list