swatch log analyzer usage
Stephen Gilbert
linuxelf at gmail.com
Mon May 10 18:10:14 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've been using fail2ban, and have been very happy with it. It sounds
like it'll do exactly what you're looking for.
On 5/10/2010 12:54 PM, ESGLinux wrote:
> Hi All
>
> I´m implemMenting the use of swatch to protect my server from brute force
> attack.
>
> I have configured the config file this way:
>
> watchfor /Aborted login/
> mail=xxxx at xxxx.com,Subject=Possible under attack!!!
> throttle threshold=5,delay=0:1:0,key=log
>
>
> this way I receive an email when the string Aborted login appears in my log.
> I have setup a threshold of 5 tries on 1 minute. But it does not work fine.
>
> I always get 2 mails: one the first time the string appears, and one when
> the threshold is reached.
>
> May 10 18:45:06 servere dovecot: imap-login: Aborted login:
> user=<x<emiliano.sutil at xeridia.com>xxxx>,
> method=PLAIN, rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, secured (threshold
> 5 exceeded)
>
> I only want to receive the second one, because is the mail that can be
> considered an attack, (the first one can be a simple failure)
>
> So, anyone knows how to configure swatch this way.
>
> By the way, is there any other tool to do what I want ? I don´t mind to
> change, (perhaps, RHEL has a package that does the same....)
>
>
> Thanks in advance,
>
> ESG
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkvoTAYACgkQdBNH6NIpz0WNFQCg10zVl13BJf0Oo/V4TWFd/frJ
MmMAoOYodx7pSkxwhT/qCOh9h209WS3z
=YxYP
-----END PGP SIGNATURE-----
More information about the redhat-list
mailing list