Debian / Ubuntu - Detect attacks made against your server with Logwatch

Page 1 / 1
  • Published on : 26 December 2014 at 12:34 UTC
  • By Lionel Eppe

Logwatch is very easy to install and practical to detect possible attacks from pirates or any errors produced by the services installed on your server.
Indeed, Logwatch send you a summary of your logs by e-mail every day.

Tutorial tested on Ubuntu 12.04 and Debian 7.7.0.

Note : Logwatch needs Postfix to send the summary by e-mail. To install and configure Postfix, refer to the tutorial : Debian - Install and secure a complete mail server

To begin installing "logwatch".

Code : Bash

apt-get install logwatch

Then, edit the "/usr/share/logwatch/default.conf/logwatch.conf" file like this :

Code : Bash

MailTo = webmaster@your-domain.com
MailFrom = logwatch@your-domain.com

The changes will be reflected the next time logwatch.
Note : A cron job "00logwatch" was created to launch "logwatch" every day at the same hour.

Every day, you will receive a report similar to this :

Code : Plain Text

 ################### Logwatch x.x.x (xx/xx/xx) #################### 
        Processing Initiated: xxx xx xx xx:xx:xx xxxx
        Date Range Processed: yesterday
                              ( xxxx-xx-xx )
                              Period is day.
        Detail Level of Output: 0
        Type of Output/Format: mail / text
        Logfiles for Host: xxxxxxx
 ################################################################## 


 --------------------- dpkg status changes Begin ------------------------ 

 Installed:
    [package name]:[cpu architecture] x.xx-x

 Upgraded:
    [package name]:[cpu architecture] x:x.x.x... => x:x.x.x...

 ---------------------- dpkg status changes End ------------------------- 

 
 --------------------- httpd Begin ------------------------ 

 
 A total of xx sites probed the server 
    xx.xx.xx.xx
    xx.xx.xx.xx
    xx.xx.xx.xx
    xx.xx.xx.xx
    xx.xx.xx.xx
 
 Requests with error response codes
    400 Bad Request
       /a-bad-request.html: x Time(s)
    401 Unauthorized
       /a-restricted-page.php: x Time(s)
    404 Not Found
       /a-not-found-page.html: x Time(s)
    405 Method Not Allowed
       /a-not-allowed-method.jpg: x Time(s)
    408 Request Timeout
       null: x Time(s)
    500 Internal Server Error
       /: 1 Time(s)
    501 Not Implemented
       /: x Time(s)
 
 ---------------------- httpd End ------------------------- 

 
 --------------------- IMAP Begin ------------------------ 

 
 [IMAPd] Logout stats:
 ====================
                                    User | Logouts | Downloaded |  Mbox Size
 --------------------------------------- | ------- | ---------- | ----------
        an-email-account@your-domain.com |       x |       xxxx |          x
 ---------------------------------------------------------------------------
                                                 x |       xxxx |          x
 
 
 
 ---------------------- IMAP End ------------------------- 

 
 --------------------- POP-3 Begin ------------------------ 

 
 
 [POP3] Login failures:
 =========================
                                                   Host (user) |          # 
 ------------------------------------------------------------- | -----------
                xx.xx.xx.xx (an-email-account@your-domain.com) |           x
 ---------------------------------------------------------------------------
                                                                           x
 
 
 
 ---------------------- POP-3 End ------------------------- 

 
 --------------------- pam_unix Begin ------------------------ 

 xxxxxftpd:
    Unknown Entries:
       authentication failure; logname= uid=x euid=x tty=/dev/ftpdxxxxxx ruser=xxxxxx rhost=xxx.xxx.xxx.xxx  user=xxxxxx: x Time(s)

 ---------------------- pam_unix End ------------------------- 

 
 --------------------- Postfix Begin ------------------------ 

       xx   Miscellaneous warnings  
 
    x.xxxK  Bytes accepted                               x,xxx
    x.xxxK  Bytes delivered                              x,xxx
 ========   ==================================================
 
       xx   Accepted                                    xx.xx%
       xx   Rejected                                    xx.xx%
 --------   --------------------------------------------------
       xx   Total                                      100.00%
 ========   ==================================================
 
       xx   5xx Reject relay denied                     xx.xx%
       xx   5xx Reject unknown user                     xx.xx%
 --------   --------------------------------------------------
       xx   Total 5xx Rejects                          100.00%
 ========   ==================================================
 
       xx   Connections             
       xx   Connections lost (inbound) 
       xx   Disconnections          
       xx   Removed from queue      
       xx   Delivered               
 
 
 ---------------------- Postfix End ------------------------- 
 
 
 --------------------- xxxxftpd-messages Begin -----------------------

 
 **Unmatched Entries**
 pam_unix(xxxxftpd:session): session opened for user xxxxxxxx by (uid=x)
 pam_unix(xxxxftpd:session): session closed for user xxxxxxxx
 
 ---------------------- xxxxftpd-messages End ------------------------


 --------------------- sasl auth daemon Begin ------------------------

 
 SASL Authentications failed xx Time(s)
 Service smtp (pam) - xx Time(s):
    Realm domain.com - xx Time(s):
       User: account@domain.com - PAM auth error - xx Time(s):
 
 ...
 
 ---------------------- sasl auth daemon End ------------------------- 
 
 
 --------------------- SSHD Begin ------------------------
 
 Users logging in through sshd:
    xxxxxxxx:
       xx.xx.xx.xx (xx-xx-xx-xx.xxx.fai.com): 2 times
 
 ---------------------- SSHD End ------------------------- 
 
 
 --------------------- Syslog-ng Begin ------------------------ 

 
 Syslog-ng reloaded:		    x Time(s)
 
 ---------------------- Syslog-ng End ------------------------- 

 
 --------------------- Disk Space Begin ------------------------ 

 Filesystem      Size  Used Avail Use% Mounted on
 /dev/xxxx        xxG  x.xG   xxG  xx% /
 
 
 ---------------------- Disk Space End ------------------------- 

 
 ###################### Logwatch End #########################

If you don't receive the mail of Logwatch (eg because of a problem with your e-mail server), you can start Logwatch manually by entering this command :
Note : Wait a few seconds while Logwatch generates and send the report by e-mail.

Code : Bash

/etc/cron.daily/00logwatch