HOWTO Logwatch - security

Här kan du dela med dig av dina bästa tips och knep.
Kategoriregler
Här ligger de utförliga instruktionerna vi kan tänkas behöva. Leta här om du tex behöver installera nåt program eller sätta upp någon funktion. Starta inte trådar utan att ha ett svar.
pompado
Inlägg: 448
Blev medlem: 24 sep 2008, 10:08
OS: Xubuntu
Utgåva: 14.04 Trusty Tahr LTS

HOWTO Logwatch - security

Inlägg av pompado »

Hello - Logwatch is a program that watch your system and creates logs.
You can pick different levels of your logs of your system - low, medium and high security.
And you can pick what to monitor with your logging - http, sudo and more ...
This is a great way monitor you system - where you can pick to get yeasterdays logs or todays logs sent to your email.

First i just want to tell you how difficult it was to get all this working.
I try to get a working email system to work with my Ubuntu so Logwatch can send me emails using my Ubuntu system.
And i end up trying to configurating Postfix - i follow many guides online and none working.
This made me very angry.

But thanks to this great forum [ubuntu org] i describe my issue and got help to solve my problem.
A user suggest me to install SSMTP instead of Postfix and it did work direct after the first install and configuration.
After that i was going to install Logwatch - but then i notice that the guides say different things how to install Logwatch.
This was at first confusing - but at the end i solve the wrong information to a working solution to install and configurating Logwatch.

1) So now i will show you how to install and configurating the mail software SSMTP so you can get emails from Logwatch.

2) After getting SSMTP working i will show you how to install and configurating LOGWATCH.

3) During this installation process you need a gmail.com account to get this guide to work.

Installing and configurationg SSMTP to send emails from your Ubuntu system

First you run the following code to get updated system:

Kod: Markera allt

sudo apt-get update
After that you install ssmtp

Kod: Markera allt

sudo apt-get install ssmtp
Now you will open a text file using a editor with the name nano.
After editing a file you click on "ctrl" and "o" to save the changes and click "enter" then close nano with "ctrl" and "x"
This is the all commands you need to open, save and close using nano.

Type the following in the command line:

Kod: Markera allt

sudo nano /etc/ssmtp/ssmtp.conf
Then you will get a file and it should look like this:
You have to add the missing parts and add your email.

Kod: Markera allt

# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
#root=postmaster
root=MyEmailAddress@gmail.com

# The place where the mail goes. The actual machine name is required no
# MX records are consulted. Commonly mailhosts are named mail.domain.com
#mailhub=mail
mailhub=smtp.gmail.com:587

AuthUser=MyEmailAddress@gmail.com
AuthPass=MyPassword
UseTLS=YES
UseSTARTTLS=YES

# Where will the mail seem to come from?
#rewriteDomain=
rewriteDomain=gmail.com

# The full hostname
#hostname=MyMediaServer.home
hostname=MyEmailAddress@gmail.com

# Are users allowed to set their own From: address?
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
FromLineOverride=YES - See more at: http://www.havetheknowhow.com/Configure-the-server/Install-ssmtp.html#sthash.vpOeOryu.dpuf

# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
#root=postmaster
root=MyEmailAddress@gmail.com

# The place where the mail goes. The actual machine name is required no
# MX records are consulted. Commonly mailhosts are named mail.domain.com
#mailhub=mail
mailhub=smtp.gmail.com:587

AuthUser=MyEmailAddress@gmail.com
AuthPass=MyPassword
UseTLS=YES
UseSTARTTLS=YES

# Where will the mail seem to come from?
#rewriteDomain=
rewriteDomain=gmail.com

# The full hostname
#hostname=MyMediaServer.home
hostname=MyEmailAddress@gmail.com

# Are users allowed to set their own From: address?
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
FromLineOverride=YES
When you are done you can test to send email to your gmail account.
But at first it will not work because gmail will complain about you being spamming the email account and also issue how the deamon can know your password to your gmail account.
Then gmail will ask if you want to change secutiry settings and you should answaer yes or activate the funktion allowing emails from your Ubuntu system.
When this is done you can test send email again - then it should work just fine.

This is how you send email using the command line with ssmtp:

Kod: Markera allt

ssmtp recipient_YourEmail@gmail.com
Afer typing this into the command line you click on Enter and type your message.
For example:

Kod: Markera allt

Hello world
After that you need to end this session with Ctrl D.
Now you can check your email and you will see your message Hello world.
Here is the ssmtp guide i follow http://www.havetheknowhow.com/Configure ... ssmtp.html

Now when you get this working you can move on to next part - installing and configurating Logwatch.

Installing and configurationg LOGWATCH to send security logs to your email account:

First we install Logwatch

Kod: Markera allt

sudo apt-get install logwatch
We have to create a directory that Logwatch dosent do by default.
Write the following code to create /var/cache/logwatch

Kod: Markera allt

sudo mkdir /var/cache/logwatch


Now we should not add and configurationg the logwatch.conf file using this path /usr/share/logwatch
We should copy logwatch.conf to /etc/logwatch/conf/ and that is the file we will configurate.
So now we copy the file using following code

Kod: Markera allt

sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
Now you open up the logwatch.conf file using following path

Kod: Markera allt

sudo nano /etc/logwatch/conf/logwatch.conf
First you change the output to mail and mailto with your email account.

Kod: Markera allt

Output = mail
MailTo = YourEmail@gmail.com
Then you can add your email again at this line

Kod: Markera allt

MailFrom = Logwatch


Now you can set the reports to yesterday or today - i pick Today

Kod: Markera allt

Range = Today
At last you can pick if you want low security issues or medium or high - i pick medium

Kod: Markera allt

Detail = Medium
Now you can test Logwatch to send security report to your mail.
Just write logwatch in the command line and check your email account.

Kod: Markera allt

sudo logwatch
I follow different guides to understand how to install and configurate Logwatch correct.
I post them in the order you should read and refering to the guides to understand what is correct settings with Logwatch.
First guide to use is https://help.ubuntu.com/community/Logwatch
Secound guide to use is https://wiki.amahi.org/index.php/Monito ... via_E-mail
And last guide to get more details https://www.digitalocean.com/community/ ... r-on-a-vps
Senast redigerad av 1 pompado, redigerad totalt 8 gånger.
pompado
Inlägg: 448
Blev medlem: 24 sep 2008, 10:08
OS: Xubuntu
Utgåva: 14.04 Trusty Tahr LTS

Re: HOWTO Logwatch - security

Inlägg av pompado »

You also might need to unlock the captcha by visiting this page https://www.google.com/accounts/DisplayUnlockCaptcha
But if the email working then there is no need.

Fy fan va Ubuntu äger när saker och ting fungerar :-)
pompado
Inlägg: 448
Blev medlem: 24 sep 2008, 10:08
OS: Xubuntu
Utgåva: 14.04 Trusty Tahr LTS

Re: HOWTO Logwatch - security

Inlägg av pompado »

I forgot to mention that you need to test your internet provider if they allow you to connect using smtp.gmail.com.

Here's a simple test. Open a terminal and run the command:
Code:

Kod: Markera allt


     telnet alt1.gmail-smtp-in.l.google.com 25
If you can connect, you'll see GMail reply with its "banner" like this:
Code:[/code]

Kod: Markera allt

     Trying 74.125.24.27...
Connected to alt1.gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP s1si2787214wiy.52 - gsmt
If you don't see that, you'll need to talk to your ISP and make sure they are not filtering traffic to remote SMTP servers.
To close the telnet session, hold down the Ctrl key and type the "]" character. Then type "quit" at the prompt.
HakanS
Global Moderator
Inlägg: 4289
Blev medlem: 30 mar 2006, 10:34
OS: Kubuntu
Utgåva: 23.04 Lunar Lobster
Ort: Trollhättan

Re: HOWTO Logwatch - security

Inlägg av HakanS »

Bra att du delar med dig av din kunskap, men varför skriver du på engelska?
pompado
Inlägg: 448
Blev medlem: 24 sep 2008, 10:08
OS: Xubuntu
Utgåva: 14.04 Trusty Tahr LTS

Re: HOWTO Logwatch - security

Inlägg av pompado »

Hej orkar inte skriva om Guiden från engelska till svenska.
Brukar börja nysta upp problem på Ubuntu org och då blir det på engelska.
Hoppas det går bra.

Note, most ISPs I have seen will block any traffic on port 25 if the connection is residential. If this is the case, it is unlikely they will unblock it, so you would need to send email via port 587, instead of port 25.

Ska även nämna att jag ska lägga till hur man gör ett cron job så logwatch skickar email automatiskt varje dag.
pompado
Inlägg: 448
Blev medlem: 24 sep 2008, 10:08
OS: Xubuntu
Utgåva: 14.04 Trusty Tahr LTS

Re: HOWTO Logwatch - security

Inlägg av pompado »

Försöker få cron att fungera och skicka email varje dag med Logwatch.
Råka skriva fel lösenord med sudo och gissa vad som händer...

Jag får ett epost från Logwatch som talar om för mig om ett misslyckat sudo försök hahaha häftigt.
Det betyder att jag har en säkerhets lösning i realtid, eftersom det tog inte mer än 2 sekunder för mobilen att plinga och meddela mig om ny epost.

Detta känns jätte bra!

Kod: Markera allt

patrik : Jun  9 14:32:50 : patrik : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/home/patrik ; USER=root ; COMMAND=/usr/bin/nano crontab -e
Skriv svar

Återgå till "Guider"