Debian / Ubuntu - Detect attacks made against your server with Logwatch

Page 1 / 1

Logwatch is very easy to install and practical to detect possible attacks from pirates or any errors produced by the services installed on your server.
Indeed, Logwatch send you a summary of your logs by e-mail every day.

Tutorial tested on Ubuntu 12.04 and Debian 7.7.0.

Note : Logwatch needs Postfix to send the summary by e-mail. To install and configure Postfix, refer to the tutorial : Debian - Install and secure a complete mail server

To begin installing "logwatch".

Code : Bash

apt-get install logwatch

Then, edit the "/usr/share/logwatch/default.conf/logwatch.conf" file like this :

Code : Bash

MailTo = webmaster@your-domain.com  MailFrom = logwatch@your-domain.com

The changes will be reflected the next time logwatch.
Note : A cron job "00logwatch" was created to launch "logwatch" every day at the same hour.

Every day, you will receive a report similar to this :

Code : Plain Text

 ################### Logwatch x.x.x (xx/xx/xx) ####################           Processing Initiated: xxx xx xx xx:xx:xx xxxx          Date Range Processed: yesterday                                ( xxxx-xx-xx )                                Period is day.          Detail Level of Output: 0          Type of Output/Format: mail / text          Logfiles for Host: xxxxxxx   ##################################################################        --------------------- dpkg status changes Begin ------------------------      Installed:      [package name]:[cpu architecture] x.xx-x     Upgraded:      [package name]:[cpu architecture] x:x.x.x... => x:x.x.x...     ---------------------- dpkg status changes End -------------------------         --------------------- httpd Begin ------------------------         A total of xx sites probed the server       xx.xx.xx.xx      xx.xx.xx.xx      xx.xx.xx.xx      xx.xx.xx.xx      xx.xx.xx.xx      Requests with error response codes      400 Bad Request         /a-bad-request.html: x Time(s)      401 Unauthorized         /a-restricted-page.php: x Time(s)      404 Not Found         /a-not-found-page.html: x Time(s)      405 Method Not Allowed         /a-not-allowed-method.jpg: x Time(s)      408 Request Timeout         null: x Time(s)      500 Internal Server Error         /: 1 Time(s)      501 Not Implemented         /: x Time(s)      ---------------------- httpd End -------------------------         --------------------- IMAP Begin ------------------------         [IMAPd] Logout stats:   ====================                                      User | Logouts | Downloaded |  Mbox Size   --------------------------------------- | ------- | ---------- | ----------          an-email-account@your-domain.com |       x |       xxxx |          x   ---------------------------------------------------------------------------                                                   x |       xxxx |          x            ---------------------- IMAP End -------------------------         --------------------- POP-3 Begin ------------------------            [POP3] Login failures:   =========================                                                     Host (user) |          #    ------------------------------------------------------------- | -----------                  xx.xx.xx.xx (an-email-account@your-domain.com) |           x   ---------------------------------------------------------------------------                                                                             x            ---------------------- POP-3 End -------------------------         --------------------- pam_unix Begin ------------------------      xxxxxftpd:      Unknown Entries:         authentication failure; logname= uid=x euid=x tty=/dev/ftpdxxxxxx ruser=xxxxxx rhost=xxx.xxx.xxx.xxx  user=xxxxxx: x Time(s)     ---------------------- pam_unix End -------------------------         --------------------- Postfix Begin ------------------------            xx   Miscellaneous warnings           x.xxxK  Bytes accepted                               x,xxx      x.xxxK  Bytes delivered                              x,xxx   ========   ==================================================            xx   Accepted                                    xx.xx%         xx   Rejected                                    xx.xx%   --------   --------------------------------------------------         xx   Total                                      100.00%   ========   ==================================================            xx   5xx Reject relay denied                     xx.xx%         xx   5xx Reject unknown user                     xx.xx%   --------   --------------------------------------------------         xx   Total 5xx Rejects                          100.00%   ========   ==================================================            xx   Connections                      xx   Connections lost (inbound)          xx   Disconnections                   xx   Removed from queue               xx   Delivered                        ---------------------- Postfix End -------------------------          --------------------- xxxxftpd-messages Begin -----------------------        **Unmatched Entries**   pam_unix(xxxxftpd:session): session opened for user xxxxxxxx by (uid=x)   pam_unix(xxxxftpd:session): session closed for user xxxxxxxx      ---------------------- xxxxftpd-messages End ------------------------       --------------------- sasl auth daemon Begin ------------------------        SASL Authentications failed xx Time(s)   Service smtp (pam) - xx Time(s):      Realm domain.com - xx Time(s):         User: account@domain.com - PAM auth error - xx Time(s):      ...      ---------------------- sasl auth daemon End -------------------------          --------------------- SSHD Begin ------------------------      Users logging in through sshd:      xxxxxxxx:         xx.xx.xx.xx (xx-xx-xx-xx.xxx.fai.com): 2 times      ---------------------- SSHD End -------------------------          --------------------- Syslog-ng Begin ------------------------         Syslog-ng reloaded:		    x Time(s)      ---------------------- Syslog-ng End -------------------------         --------------------- Disk Space Begin ------------------------      Filesystem      Size  Used Avail Use% Mounted on   /dev/xxxx        xxG  x.xG   xxG  xx% /         ---------------------- Disk Space End -------------------------         ###################### Logwatch End #########################

If you don't receive the mail of Logwatch (eg because of a problem with your e-mail server), you can start Logwatch manually by entering this command :
Note : Wait a few seconds while Logwatch generates and send the report by e-mail.

Code : Bash

/etc/cron.daily/00logwatch