Debian / Ubuntu - Detect attacks made against your server with Logwatch

Page 1 / 1

Logwatch is very easy to install and practical to detect possible attacks from pirates or any errors produced by the services installed on your server.
Indeed, Logwatch send you a summary of your logs by e-mail every day.

Tutorial tested on Ubuntu 12.04 and Debian 7.7.0.

Note : Logwatch needs Postfix to send the summary by e-mail. To install and configure Postfix, refer to the tutorial : Debian - Install and secure a complete mail server

To begin installing "logwatch".

Code : Bash

apt-get install logwatch

Then, edit the "/usr/share/logwatch/default.conf/logwatch.conf" file like this :

Code : Bash

MailTo = webmaster@your-domain.com
MailFrom = logwatch@your-domain.com

The changes will be reflected the next time logwatch.
Note : A cron job "00logwatch" was created to launch "logwatch" every day at the same hour.

Every day, you will receive a report similar to this :

Code : Plain Text

 ################### Logwatch x.x.x (xx/xx/xx) #################### 
        Processing Initiated: xxx xx xx xx:xx:xx xxxx
        Date Range Processed: yesterday
                              ( xxxx-xx-xx )
                              Period is day.
        Detail Level of Output: 0
        Type of Output/Format: mail / text
        Logfiles for Host: xxxxxxx
 ################################################################## 


 --------------------- dpkg status changes Begin ------------------------ 

 Installed:
    [package name]:[cpu architecture] x.xx-x

 Upgraded:
    [package name]:[cpu architecture] x:x.x.x... => x:x.x.x...

 ---------------------- dpkg status changes End ------------------------- 

 
 --------------------- httpd Begin ------------------------ 

 
 A total of xx sites probed the server 
    xx.xx.xx.xx
    xx.xx.xx.xx
    xx.xx.xx.xx
    xx.xx.xx.xx
    xx.xx.xx.xx
 
 Requests with error response codes
    400 Bad Request
       /a-bad-request.html: x Time(s)
    401 Unauthorized
       /a-restricted-page.php: x Time(s)
    404 Not Found
       /a-not-found-page.html: x Time(s)
    405 Method Not Allowed
       /a-not-allowed-method.jpg: x Time(s)
    408 Request Timeout
       null: x Time(s)
    500 Internal Server Error
       /: 1 Time(s)
    501 Not Implemented
       /: x Time(s)
 
 ---------------------- httpd End ------------------------- 

 
 --------------------- IMAP Begin ------------------------ 

 
 [IMAPd] Logout stats:
 ====================
                                    User | Logouts | Downloaded |  Mbox Size
 --------------------------------------- | ------- | ---------- | ----------
        an-email-account@your-domain.com |       x |       xxxx |          x
 ---------------------------------------------------------------------------
                                                 x |       xxxx |          x
 
 
 
 ---------------------- IMAP End ------------------------- 

 
 --------------------- POP-3 Begin ------------------------ 

 
 
 [POP3] Login failures:
 =========================
                                                   Host (user) |          # 
 ------------------------------------------------------------- | -----------
                xx.xx.xx.xx (an-email-account@your-domain.com) |           x
 ---------------------------------------------------------------------------
                                                                           x
 
 
 
 ---------------------- POP-3 End ------------------------- 

 
 --------------------- pam_unix Begin ------------------------ 

 xxxxxftpd:
    Unknown Entries:
       authentication failure; logname= uid=x euid=x tty=/dev/ftpdxxxxxx ruser=xxxxxx rhost=xxx.xxx.xxx.xxx  user=xxxxxx: x Time(s)

 ---------------------- pam_unix End ------------------------- 

 
 --------------------- Postfix Begin ------------------------ 

       xx   Miscellaneous warnings  
 
    x.xxxK  Bytes accepted                               x,xxx
    x.xxxK  Bytes delivered                              x,xxx
 ========   ==================================================
 
       xx   Accepted                                    xx.xx%
       xx   Rejected                                    xx.xx%
 --------   --------------------------------------------------
       xx   Total                                      100.00%
 ========   ==================================================
 
       xx   5xx Reject relay denied                     xx.xx%
       xx   5xx Reject unknown user                     xx.xx%
 --------   --------------------------------------------------
       xx   Total 5xx Rejects                          100.00%
 ========   ==================================================
 
       xx   Connections             
       xx   Connections lost (inbound) 
       xx   Disconnections          
       xx   Removed from queue      
       xx   Delivered               
 
 
 ---------------------- Postfix End ------------------------- 
 
 
 --------------------- xxxxftpd-messages Begin -----------------------

 
 **Unmatched Entries**
 pam_unix(xxxxftpd:session): session opened for user xxxxxxxx by (uid=x)
 pam_unix(xxxxftpd:session): session closed for user xxxxxxxx
 
 ---------------------- xxxxftpd-messages End ------------------------


 --------------------- sasl auth daemon Begin ------------------------

 
 SASL Authentications failed xx Time(s)
 Service smtp (pam) - xx Time(s):
    Realm domain.com - xx Time(s):
       User: account@domain.com - PAM auth error - xx Time(s):
 
 ...
 
 ---------------------- sasl auth daemon End ------------------------- 
 
 
 --------------------- SSHD Begin ------------------------
 
 Users logging in through sshd:
    xxxxxxxx:
       xx.xx.xx.xx (xx-xx-xx-xx.xxx.fai.com): 2 times
 
 ---------------------- SSHD End ------------------------- 
 
 
 --------------------- Syslog-ng Begin ------------------------ 

 
 Syslog-ng reloaded:		    x Time(s)
 
 ---------------------- Syslog-ng End ------------------------- 

 
 --------------------- Disk Space Begin ------------------------ 

 Filesystem      Size  Used Avail Use% Mounted on
 /dev/xxxx        xxG  x.xG   xxG  xx% /
 
 
 ---------------------- Disk Space End ------------------------- 

 
 ###################### Logwatch End #########################

If you don't receive the mail of Logwatch (eg because of a problem with your e-mail server), you can start Logwatch manually by entering this command :
Note : Wait a few seconds while Logwatch generates and send the report by e-mail.

Code : Bash

/etc/cron.daily/00logwatch