[Logcheck-users] Abuse extension for Logcheck

Ludovic Maitre ludovic.maitre@free.fr
Sat, 04 Jun 2005 10:08:05 +0200 

Hello,

I am beginning with logcheck and it's a very useful tool, thanks to all 
the developers.
But i'm wondering if it exist a tool, or options to logcheck, for 
creating automatically abuse reports in case of intrusions.

For example Logcheck has warned me about several ssh+brute hacking 
attempts on my server and each time i have done the following:

   1.

      search the people responsible for the host : whois x.x.x.x
      (abuse@..., TechHandle
      <http://www.ubik-products.com/ludowiki/TechHandle>, OrgHandle
      <http://www.ubik-products.com/ludowiki/OrgHandle>) [possibly doing
      multiples queries to find the person]

   2. do a traceroute to the host, to see if it's coherent with the
      infos of the whois (geographic...)
   3.

      create a report mail to the abuse or admin which include the above
      reports and the concerned line of the logcheck report, i.e :

Jun  3 15:26:05 durandal sshd[10156]: error: Could not get shadow information for NOUSER
Jun  3 15:26:11 durandal sshd[10158]: error: Could not get shadow information for NOUSER
Jun  3 15:26:13 durandal sshd[10160]: Illegal user test from ::ffff:205.234.186.37
Jun  3 15:26:13 durandal sshd[10160]: error: Could not get shadow information for NOUSER
Jun  3 15:26:14 durandal sshd[10162]: Illegal user guest from ::ffff:205.234.186.37
Jun  3 15:26:14 durandal sshd[10162]: error: Could not get shadow information for NOUSER
Jun  3 15:26:21 durandal sshd[10164]: Illegal user webmaster from ::ffff:205.234.186.37
Jun  3 15:26:21 durandal sshd[10164]: error: Could not get shadow information for NOUSER
Jun  3 15:26:22 durandal sshd[10166]: User mysql not allowed because not listed in AllowUsers
Jun  3 15:26:22 durandal sshd[10166]: error: Could not get shadow information for NOUSER
Jun  3 15:26:24 durandal sshd[10168]: Illegal user oracle from ::ffff:205.234.186.37
Jun  3 15:26:24 durandal sshd[10168]: error: Could not get shadow information for NOUSER
Jun  3 15:26:25 durandal sshd[10170]: Illegal user library from ::ffff:205.234.186.37
Jun  3 15:26:25 durandal sshd[10170]: error: Could not get shadow information for NOUSER
Jun  3 15:26:27 durandal sshd[10172]: Illegal user info from ::ffff:205.234.186.37
...

And this take some times to do it manually.

I understand that i can do a small perl script which can do this and mail me the abuse reports for validation (it will be fool to automatically send the reports to the abuse destination since they could be not accurate) but i'm wondering if this already exist ?

Thanks in advance for any response,

-- 
Cordialement,
Ludo - http://www.ubik-products.com
---
"L'amour pour principe et l'ordre pour base; le progres pour but" (A.Comte)