I re-add list to CC.
Gregory Orange wrote:
Hi Miroslav,
I don't know if this message really contributes anything to the list, so
I'll email you directly.
On 17/02/12 01:04, Miroslav Lachman wrote:
I see it many times before, but never take a time to post about it.
Well, thank you for posting it. I'm fairly new to BSD admin (GNU/Linux
for a few years prior), and generally to being the main person
responsible for security.
I am really glad to see that my post helped to somebody.
But looking in to auth.log I found zero entries from yesterday - Feb 15
entries were logged 1 year ago!
We've been concerned by some auth.log entries for a week or two, and
only after reading your message and taking a closer look at the context
of the logs did I think of that possibility. It's exactly my issue!
Be aware that adding shorter time (or lower file size) for log rotation
is not enough. Script 800.loginfail is reading all available rotated
compressed logs. So even if you will rotate more often, you will get
false positive alerts if some 1 year old entries are stored on disk in
/var/log/auth.log.X.bz2 files.
Default settings in newsyslog.conf is
/var/log/auth.log 600 7 500 * JC
This means 7 old compressed archives taken after reaching 500kB in size
of the original log. So it can contains more than 10 years of history on
our mentioned server.
Until FreeBSD will log dates in format with year, you must do something
to be sure that none of the files in /var/log stored entries over 364 days.
Cheers,
Miroslav Lachman
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
