Additional Logwatch Scripting for Postfix and Amavis
First thing in the morning I like to have a quick browse through the Logwatch output for all my servers (or at the very least the ones I know are critical / the ones that have been giving me trouble) and for the most part the data is always quite concise and extremely useful. However there comes a point when erroneous activity makes your 15kb / 30kb Logwatch email start creeping up towards the 500kb / 700kb sort of size and usually its junk.
The best way to sort this is by adding additional scripts/configuration to your standard Logwatch setup. I was finding that the main culprits were Amavis, Postfix and SSHD.
SSHD
One of the things that scares people new to the world of Logwatch (or anything that logs SSH/telnet/ftp/etc connections attempts) is the blindingly huge amount of failed login attempts. Below is an average SSHD report:
Authentication Failures:
unknown (222.108.131.114): 395 Time(s)
root (222.108.131.114): 112 Time(s)
apache (222.108.131.114): 3 Time(s)
rpcuser (222.108.131.114): 2 Time(s)
bin (222.108.131.114): 1 Time(s)
ftp (222.108.131.114): 1 Time(s)
mysql (222.108.131.114): 1 Time(s)
nobody (222.108.131.114): 1 Time(s)
operator (222.108.131.114): 1 Time(s)
postfix (222.108.131.114): 1 Time(s)
root (62.24.24.62): 1 Time(s)
rpc (222.108.131.114): 1 Time(s)
squid (222.108.131.114): 1 Time(s)
unknown (87.139.55.110): 1 Time(s)
unknown (sd-1600.dedibox.fr): 1 Time(s)
xfs (222.108.131.114): 1 Time(s)
Invalid Users:
Unknown Account: 397 Time(s)
Now whilst you might be thinking that I’m being a bit pedantic and there is only a few kb of text there I really don’t want to see it and more importantly there is still an underlying issue. My SSH server is coming under attack, granted its an ‘attack’ in the same way my roof gets attacked when it rains but its still something that ought to be looked at. A quick change of /etc/ssh/sshd_config as shown below soon put a stop to any more of these lame automated attempts.
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
Port 2322
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
Postfix:
I love Postfix, there is no two ways about it. One of the things I love is the verbosity of its logs, unfortunately when it comes to Logwatch this means a big chunk of data coming my way each morning. An abridged example below:
4336704 bytes transferred
254 messages sent
254 messages removed from queue
Relaying denied:
From 125-225-23-144.dynamic.hinet.net[125.225.23.144] to sr2_serch@yahoo.com.tw : 5 Time(s)
From 59-117-67-53.dynamic.hinet.net[59.117.67.53] to candy59839@yahoo.com.tw : 5 Time(s)
From 85.3b.354a.static.theplanet.com[74.53.59.133] to Not.abuse@DNSreport.com : 5 Time(s)
Connections lost:
Connection lost after command AUTH : 13 Time(s)
Connection lost after command CONNECT : 50 Time(s)
Connection lost after command EHLO : 37 Time(s)
Connection lost after command RCPT : 11 Time(s)
Hostname verification errors:
Name or service not known : 8 Time(s)
Unrecognized warning:
Connection concurrency limit exceeded: 51 from 71-218-194-225.hlrn.qwest.net[71.218.194.225] for service smtp : 35 Time(s)
osbk-4db55f82.pool.einsundeins.de[77.181.95.130] sent non-SMTP command: Content-Type: text/html; : 1 Time(s)
**Unmatched Entries**
statistics: max connection rate 1/60s for (smtp:70.85.98.122) at Jun 19 00:14:19
statistics: max connection count 1 for (smtp:70.85.98.122) at Jun 19 00:14:19
statistics: max cache size 1 at Jun 19 00:14:19
statistics: max connection rate 1/60s for (smtp:195.241.79.139) at Jun 19 00:24:46
statistics: max connection count 1 for (smtp:195.241.79.139) at Jun 19 00:24:46
statistics: max cache size 1 at Jun 19 00:24:46
…………
(another 1000 odd lines of this)
Using one of Mike Cappellas Scripts the above output looks like this:
254 Accepted 87.29%
37 Rejected 12.71%
------------------------------------------------
291 Total 100.00%
================================================
15 Reject relay denied 40.54%
22 Reject unknown user 59.46%
------------------------------------------------
37 Total Rejects 100.00%
================================================
429 Connections made
111 Connections lost
429 Disconnections
254 Removed from queue
100 Delivered
154 Sent via SMTP
8 Hostname verification errors
87 TLS connections (server)
10 SASL authenticated messages
Unfortunately Mikes scripts don’t have any instructions for CentOS so you’ll need to move postfix-logwatch (the perl script) to /etc/log.d/scripts/services/ and then move postfix-logwatch.conf to /etc/log.d/conf/services/ and you’re home free!
Amavis
This is basically the same situation as above Amavis can tell you a lot about what is going through your mail system and unfortunately if its not processed you will get output like the following:
Blocked SPAM, [80.96.150.188] [145.96.195.15]
Passed CLEAN, [70.85.98.122] [81.159.22.90]
Passed CLEAN, [70.85.98.122] [66.218.66.81]
Passed CLEAN, [70.85.98.122] [66.218.66.89]
…………………………..
(100’s more)
Once again Mike Cappellas Scripts come to the rescue and turn the above into this:
106 Clean passed 73.10%
39 Spam blocked 26.90%
------------------------------------------------------
145 Total Messages Scanned 100.00%
====== ====================================
106 Ham 73.10%
39 Spam 26.90%
——————————————————
145 Total Messages Scanned 100.00%
====== ====================================
As mentioned earlier Mikes scripts don’t have any instructions for CentOS so you’ll need to move amavis-logwatch (the perl script) to /etc/log.d/scripts/services/ and then move amavis-logwatch.conf to /etc/log.d/conf/services/ and you’re home free!
Well nothing ground breaking here but hopefully someone will get some use out of it.