aru Posted January 15, 2003 Report Share Posted January 15, 2003 delboy711 Senior user Joined: 03 May 2002 Posts: 412 Location: Wokingham, UK Post Posted: Wed May 15, 2002 2:32 pm Post subject: Setting up Logcheck to monitor security violations. _________________________________________________________________ Logcheck is a script on the Mandrake CD's which will go through the system logs and extract suspicius activity which may indicate your system has been compromised and send you an email informing you. When you install the logcheck rpm it will automatically configure itself to run as a daily cron job. However there is still work to do before you will be able to see the alerts from logcheck. Logcheck will by default send an email to root@yourhostname detailing security alerts. That email will not be delivered unless you have Postfix installed (Sendmail can do it as well but it is a nightmare to configure) In order to receive that mail as a normal user edit /etc/postfix/aliases and make your user the one to receive root's post # Person who should get root's mail root: derek To make Postfix recognise the alias. In a root terminal enter newaliases Now any mail for root will go into the mail file /var/spool/mail/derek The next trick is to get your mail client to read the mail in this file. If you use kmail then Settings>Network>incomingMail click on 'Add' In the GUI set the parameters like this Name local (or whatever you like) Location /var/spool/mail/derek Locking method Procmail lockfile (or 'none' if you cannot get it to work) Enable Interval mail checking with a sensible interval. Now any mails generated locally in your computer should come into your kmail inbox. You will find that logcheck will send a lot of unneccessary information. You can cut this down over time by putting regular expressions in /etc/logcheck/ignore to filter out messages you know are not security violations. Thats it. If I have missed out any steps let me know Smile sminons Newbie Joined: 13 May 2002 Posts: 20 Post Posted: Tue Oct 08, 2002 7:52 am Post subject: How to configure ? _________________________________________________________________ I installed logcheck and ran the command. There was no feedback after running the command. How do we configure logcheck and set its various parameters?. Thanks in advance. Editor's note: This thread was originally posted at the old MUB (Mandrake User Board at club-nihil). This post is the result of a 99% automatic backup, so due to its nature some text may be lost (improbable but possible). Quote Link to comment Share on other sites More sharing options...
Relic2K Posted January 29, 2003 Report Share Posted January 29, 2003 This didn't work for me either, I was not able to run the "newalias" command where the TUT said to, I think it is because of the differences in versions. Quote Link to comment Share on other sites More sharing options...
bvc Posted January 29, 2003 Report Share Posted January 29, 2003 It's newaliases and it's part of sendmail. Is sendmail installed? Quote Link to comment Share on other sites More sharing options...
Relic2K Posted January 29, 2003 Report Share Posted January 29, 2003 BVC; I am using Mandrake 9.0, and yes both PostFix and SendMail are installed an running. When I try to run #newaliases it does nothing. just hangs there, if I run; #newaliases.postfix -I (Intialize DB) It actually does something. Quote Link to comment Share on other sites More sharing options...
Relic2K Posted January 30, 2003 Report Share Posted January 30, 2003 Logcheck will by default send an email to root@yourhostname detailing security alerts.That email will not be delivered unless you have Postfix installed (Sendmail can do it as well but it is a nightmare to configure) In order to receive that mail as a normal user edit /etc/postfix/aliases and make your user the one to receive root's post # Person who should get root's mail root: user To make Postfix recognise the alias. In a root terminal enter newaliases Now any mail for root will go into the mail file /var/spool/mail/derek I did the following but the "newaliases" command does not work with PostFix and Mandrake 9.0. I had to run the "newaliases.postfix -I" command to get it to work. I can see the mail going into /var/spool/mail/postfix, vice /var/spool/mail/user. I can even view them, and they are the output of the cronjob that Logcheck does. Why is the mail going to postfix vice my user account ? Anyone have any ideas ? Upon further examination of the /usr/bin/newaliases file, it is suppose to be symlinked to /etc/alternatives/mta-newaliases, but this file doesn't exist. The file is missing, there is only /etc/alternatives/mta and /etc/alternatives/mta-rmail. So now I know why it would not run when I tried to run the "newaliases" command. Does anyone one know where this file is supposed to be symlinked to ? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.