noctis.de

A basic dropbear script for logwatch, based on http://forums.gentoo.org/viewtopic-t-461926.html. For now it only summarizes failed and successful logins (password and pubkey). Place the script in /usr/share/logwatch/scripts/services/dropbear (chmod 755) and create the matching service description in /usr/share/logwatch/default.conf/services/dropbear.conf.

Edit /usr/share/logwatch/default.conf/services/secure.conf and add "dropbear" to the line with "$ignore_services"

script:

use strict;
use Logwatch ':all';

my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;

my %Users = ();
my %BadLogins = ();
my %OtherList = ();

while (defined(my $ThisLine = )) {
   chomp($ThisLine);
   if (($ThisLine =~ /^pam_end: NULL pam handle passed/ )
       || ($ThisLine =~ /^exit after auth \(\S+\): Disconnect received/ )
   ) {
      #We Don't care about these
   }
   elsif ( my ($User,$Host,$Port) = ($ThisLine =~ /^password auth succeeded for '(\S+)' from ([\d\.:a-f]+):(\d+)/))
   {
      $Users{$User}{$Host}{"password"}++;
   }
   elsif ( my ($User,$Host,$Port) = ($ThisLine =~ /^pubkey auth succeeded for '(\S+)' with key md5 [0-9a-f:]+ from ([\d\.:a-f]+):(\d+)/))
   {
      $Users{$User}{$Host}{"pubkey"}++;
   }
   elsif ( my ($Host,$Port) = ($ThisLine =~ /^Child connection from ([\d\.:a-f]+):(\d+)/))
   {
      $Users{"(all)"}{$Host}{"(all)"}++;
   }
   elsif ( my ($User,$Host,$Port) = ($ThisLine =~ /^bad password attempt for '(\S+)' from ([\d\.:a-f]+):(\d+)/))
   {
      $BadLogins{$Host}{$User}++;
   }
   elsif ( my ($Host,$Port) = ($ThisLine =~ /^login attempt for nonexistent user from ([\d\.:a-f]+):(\d+)/))
   {
      $BadLogins{$Host}{"(nonexistent)"}++;
   }
   else { $OtherList{$ThisLine}++; }
}

#############################################################

if (keys %BadLogins){
   print "\nFailed logins from these:\n";
   foreach my $ip (sort SortIP keys %BadLogins) {
      my $name = LookupIP($ip);
      my $totcount = 0;
      foreach my $user (keys %{$BadLogins{$ip}}) {
            $totcount += $BadLogins{$ip}{$user};
      }
      my $plural = ($totcount > 1) ? "s" : "";
      print "   $name: $totcount time$plural\n";
      if ($Detail >= 5) {
         my $sort = CountOrder(%{$BadLogins{$ip}});
         foreach my $user (sort $sort keys %{$BadLogins{$ip}}) {
            my $val = $BadLogins{$ip}{$user};
            my $plural = ($val > 1) ? "s" : "";
            print "      $user: $val time$plural\n";
         }
      }
   }
}

if (keys %Users) {
   print "\nUsers logging in through dropbear:\n";
   foreach my $user (sort {$a cmp $b} keys %Users) {
      print "   $user:\n";
      my $totalSort = TotalCountOrder(%{$Users{$user}}, \&SortIP);
      foreach my $ip (sort $totalSort keys %{$Users{$user}}) {
         my $name = LookupIP($ip);
         if ($Detail >= 20) {
            print "      $name:\n";
            my $sort = CountOrder(%{$Users{$user}{$ip}});
            foreach my $method (sort $sort keys %{$Users{$user}{$ip}}) {
               my $val = $Users{$user}{$ip}{$method};
               my $plural = ($val > 1) ? "s" : "";
               print "         $method: $val time$plural\n";
            }
         } else {
            my $val = (values %{$Users{$user}{$ip}})[0];
            my $plural = ($val > 1) ? "s" : "";
            print "      $name: $val time$plural\n";
         }
      }
   }
} 

if (keys %OtherList) {
   print "\n**Unmatched Entries**\n";
   print "$_ : $OtherList{$_} time(s)\n" foreach keys %OtherList;
}

config:

# You can put comments anywhere you want to.  They are effective for the
# rest of the line.

# this is in the format of  = .  Whitespace at the beginning
# and end of the lines is removed.  Whitespace before and after the = sign
# is removed.  Everything is case *insensitive*.

# Yes = True  = On  = 1
# No  = False = Off = 0

Title = "Dropbear"

# Which logfile group...
LogFile = secure
# LogFile = messages

# Only give lines pertaining to the sshd service...
*OnlyService = dropbear
*RemoveHeaders