A basic dropbear script for logwatch, based on http://forums.gentoo.org/viewtopic-t-461926.html. For now it only summarizes failed and successful logins (password and pubkey). Place the script in /usr/share/logwatch/scripts/services/dropbear (chmod 755) and create the matching service description in /usr/share/logwatch/default.conf/services/dropbear.conf.
Edit /usr/share/logwatch/default.conf/services/secure.conf and add "dropbear" to the line with "$ignore_services"
script:
use strict;
use Logwatch ':all';
my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my %Users = ();
my %BadLogins = ();
my %OtherList = ();
while (defined(my $ThisLine = )) {
chomp($ThisLine);
if (($ThisLine =~ /^pam_end: NULL pam handle passed/ )
|| ($ThisLine =~ /^exit after auth \(\S+\): Disconnect received/ )
) {
#We Don't care about these
}
elsif ( my ($User,$Host,$Port) = ($ThisLine =~ /^password auth succeeded for '(\S+)' from ([\d\.:a-f]+):(\d+)/))
{
$Users{$User}{$Host}{"password"}++;
}
elsif ( my ($User,$Host,$Port) = ($ThisLine =~ /^pubkey auth succeeded for '(\S+)' with key md5 [0-9a-f:]+ from ([\d\.:a-f]+):(\d+)/))
{
$Users{$User}{$Host}{"pubkey"}++;
}
elsif ( my ($Host,$Port) = ($ThisLine =~ /^Child connection from ([\d\.:a-f]+):(\d+)/))
{
$Users{"(all)"}{$Host}{"(all)"}++;
}
elsif ( my ($User,$Host,$Port) = ($ThisLine =~ /^bad password attempt for '(\S+)' from ([\d\.:a-f]+):(\d+)/))
{
$BadLogins{$Host}{$User}++;
}
elsif ( my ($Host,$Port) = ($ThisLine =~ /^login attempt for nonexistent user from ([\d\.:a-f]+):(\d+)/))
{
$BadLogins{$Host}{"(nonexistent)"}++;
}
else { $OtherList{$ThisLine}++; }
}
#############################################################
if (keys %BadLogins){
print "\nFailed logins from these:\n";
foreach my $ip (sort SortIP keys %BadLogins) {
my $name = LookupIP($ip);
my $totcount = 0;
foreach my $user (keys %{$BadLogins{$ip}}) {
$totcount += $BadLogins{$ip}{$user};
}
my $plural = ($totcount > 1) ? "s" : "";
print " $name: $totcount time$plural\n";
if ($Detail >= 5) {
my $sort = CountOrder(%{$BadLogins{$ip}});
foreach my $user (sort $sort keys %{$BadLogins{$ip}}) {
my $val = $BadLogins{$ip}{$user};
my $plural = ($val > 1) ? "s" : "";
print " $user: $val time$plural\n";
}
}
}
}
if (keys %Users) {
print "\nUsers logging in through dropbear:\n";
foreach my $user (sort {$a cmp $b} keys %Users) {
print " $user:\n";
my $totalSort = TotalCountOrder(%{$Users{$user}}, \&SortIP);
foreach my $ip (sort $totalSort keys %{$Users{$user}}) {
my $name = LookupIP($ip);
if ($Detail >= 20) {
print " $name:\n";
my $sort = CountOrder(%{$Users{$user}{$ip}});
foreach my $method (sort $sort keys %{$Users{$user}{$ip}}) {
my $val = $Users{$user}{$ip}{$method};
my $plural = ($val > 1) ? "s" : "";
print " $method: $val time$plural\n";
}
} else {
my $val = (values %{$Users{$user}{$ip}})[0];
my $plural = ($val > 1) ? "s" : "";
print " $name: $val time$plural\n";
}
}
}
}
if (keys %OtherList) {
print "\n**Unmatched Entries**\n";
print "$_ : $OtherList{$_} time(s)\n" foreach keys %OtherList;
}
config:
# You can put comments anywhere you want to. They are effective for the # rest of the line. # this is in the format of = . Whitespace at the beginning # and end of the lines is removed. Whitespace before and after the = sign # is removed. Everything is case *insensitive*. # Yes = True = On = 1 # No = False = Off = 0 Title = "Dropbear" # Which logfile group... LogFile = secure # LogFile = messages # Only give lines pertaining to the sshd service... *OnlyService = dropbear *RemoveHeaders