The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 Portsentry/LogCheck issue
Author: el_kab0ng 
Date:   20-03-01 16:34

When running Portsentry with LogChecker in tow, I seem to be getting a weird error when the application tries to write to the "ignore" file...

I might be asking too soon about this, but I figured I'd just throw it out there to see if anyone else has had the same problems:

Mar 19 21:32:15 the portsentry[16447]: attackalert: ERROR: cannot open ignore
+file. Blocking host anyway.


I'm not real sure which file it's trying to open/write to.... anyone got any ideas?

Reply To This Message
 
 Re: Portsentry/LogCheck issue
Author: Dan Langille 
Date:   20-03-01 22:27

probably one of the /usr/local/etc/logcheck.* files. Check the permissions. I bet they've changed from the default. logcheck doesn't write to the ignore files. It reads from them. All mine are chmo 600, except logcheck.sh, which is 700. They are chown root:wheel.

Reply To This Message
 
 Re: Portsentry/LogCheck issue
Author: el_kab0ng 
Date:   21-03-01 16:21

-rw------- 1 root wheel 998 Mar 18 15:55 logcheck.hacking
-rw------- 1 root wheel 1258 Mar 18 15:55 logcheck.ignore
-rwx------ 1 root wheel 10650 Mar 18 16:01 logcheck.sh
-rw------- 1 root wheel 368 Mar 18 15:55 logcheck.violations
-rw------- 1 root wheel 32 Mar 18 15:55 logcheck.violations.ignore

and yet I still get the "cannot open ignore file, blocking host anyway."

I've had to symlink hosts.deny to hosts.allow due to compilation errors, but that doesn't seem to matter.

Reply To This Message
 
 Re: Portsentry/LogCheck issue
Author: Dan 
Date:   14-01-09 01:30

logcheck has changed. This URL has better instructions.

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=534986+0+archive/2008/freebsd-questions/20080914.freebsd-questions

In addition to the above, I'd make this change to /etc/newsyslog.conf:

- /var/log/auth.log 600 7 100 * JC
---
+ /var/log/auth.log root:logcheck 640 7 100 * JC


This will ensure that /var/log/auth will be chgrp logcheck and group readable. You'll also need to do this once: chgrp logcheck /var/log/auth.log

--
Webmaster

Post Edited (20-12-12 15:06)

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org