swatch log analyzer usage
ESGLinux
esggrupos at gmail.com
Tue May 11 06:36:22 UTC 2010
Hi Stephen,
One question about fail2ban. Can you use fail2ban to only send an email
instead of banning the ip? (I don´t want to ban the ips I just want to be
reported about them )
Thanks,
ESG
2010/5/10 Stephen Gilbert <linuxelf at gmail.com>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I've been using fail2ban, and have been very happy with it. It sounds
> like it'll do exactly what you're looking for.
>
> On 5/10/2010 12:54 PM, ESGLinux wrote:
> > Hi All
> >
> > I´m implemMenting the use of swatch to protect my server from brute force
> > attack.
> >
> > I have configured the config file this way:
> >
> > watchfor /Aborted login/
> > mail=xxxx at xxxx.com,Subject=Possible under attack!!!
> > throttle threshold=5,delay=0:1:0,key=log
> >
> >
> > this way I receive an email when the string Aborted login appears in my
> log.
> > I have setup a threshold of 5 tries on 1 minute. But it does not work
> fine.
> >
> > I always get 2 mails: one the first time the string appears, and one when
> > the threshold is reached.
> >
> > May 10 18:45:06 servere dovecot: imap-login: Aborted login:
> > user=<x<emiliano.sutil at xeridia.com>xxxx>,
> > method=PLAIN, rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, secured
> (threshold
> > 5 exceeded)
> >
> > I only want to receive the second one, because is the mail that can be
> > considered an attack, (the first one can be a simple failure)
> >
> > So, anyone knows how to configure swatch this way.
> >
> > By the way, is there any other tool to do what I want ? I don´t mind to
> > change, (perhaps, RHEL has a package that does the same....)
> >
> >
> > Thanks in advance,
> >
> > ESG
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.12 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvoTAYACgkQdBNH6NIpz0WNFQCg10zVl13BJf0Oo/V4TWFd/frJ
> MmMAoOYodx7pSkxwhT/qCOh9h209WS3z
> =YxYP
> -----END PGP SIGNATURE-----
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
More information about the redhat-list
mailing list