With the Logwatch tool we can receive every day in our mailbox a summary of the analysis of the server logs to know what has happened on the machine.
This tutorial has been created on a Clouding.io VPS. You can create your own VPS from 3€/month.
In addition, you have the possibility to create your VPS with the WordPress image in one click.
PARTNERSHIP
We’ll start with installing Logwatch
apt -y install logwatchAnd later we will create the folder where you will save all the files you need to operate.
mkdir /var/cache/logwatch/We will copy the configuration template to later configure to our liking.
cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
vim /etc/logwatch/conf/logwatch.confLogDir = /var/log
TmpDir = /var/cache/logwatch
Output = mail
Format = text
Encode = none
#CharEncoding = ""
MailTo = wordpress@example.com
MailFrom = logwatch@example.com
#Filename = /tmp/logwatch
Archives = yes
Range = yesterday
Detail = 10
Service = all
mailer = "/usr/sbin/sendmail -t"Once we have finished we can run the command to see the results by screen.
logwatch --output=stdout --detail high --format textIf we want to schedule the daily shipment, we can configure a cron for it, for example, every day at 8 in the morning.
crontab -e0 1 * * * rm -rf /var/cache/logwatch/* && /sbin/logwatchIn the following result you can see, as an example, a lot of attacks against the server:
################### Logwatch 7.5.2 (07/22/19) ####################
Processing Initiated: Sun Jul 11 08:34:25 2021
Date Range Processed: yesterday
( 2021-Jul-10 )
Period is day.
Detail Level of Output: 10
Type of Output/Format: stdout / text
Logfiles for Host: example
##################################################################
--------------------- Cron Begin ------------------------
Commands Run:
User root:
cd / && run-parts --report /etc/cron.hourly: 24 Time(s)
test -x /etc/cron.daily/popularity-contest && /etc/cron.daily/popularity-contest --crond: 1 Time(s)
test -e /run/systemd/system || SERVICE_MODE=1 /sbin/e2scrub_all -A -r: 1 Time(s)
test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ): 1 Time(s)
---------------------- Cron End -------------------------
--------------------- pam_unix Begin ------------------------
cron:
Sessions Opened:
root: 27 Time(s)
sshd:
Authentication Failures:
root (221.131.165.23): 486 Time(s)
www-data (81.70.149.29): 1 Time(s)
Invalid Users:
Unknown Account: 2002 Time(s)
Sessions Opened:
root: 2 Time(s)
systemd-user:
Sessions Opened:
root: 2 Time(s)
---------------------- pam_unix End -------------------------
--------------------- SSHD Begin ------------------------
Network Read Write Errors: 17
Negotiation failed:
no matching host key type found
143.137.166.137: 3 Times
ecdsa-sha2-nistp384: 1 Time
ecdsa-sha2-nistp521: 1 Time
ssh-dss: 1 Time
no matching key exchange method found
105.203.195.68: 2 Times
diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1: 2 Times
141.98.10.203: 25 Times
diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1: 25 Times
Disconnecting after too many authentication failures for user:
root : 2 Times
Failed logins from:
1.14.195.32: 50 Times
root/password: 50 Times
1.116.101.225: 38 Times
root/password: 38 Times
1.116.237.80: 70 Times
root/password: 70 Times
Illegal users from:
1.116.101.225: 1 Time
minist123: 1 Time
1.117.147.110: 29 Times
postgres: 2 Times
user: 2 Times
123456: 1 Time
admin: 1 Time
argo: 1 Time
bot2: 1 Time
cent: 1 Time
chandra: 1 Time
deploy: 1 Time
ekp: 1 Time
hadoop: 1 Time
info: 1 Time
jessica: 1 Time
joao: 1 Time
maria: 1 Time
minecraft: 1 Time
odoo: 1 Time
root123: 1 Time
rosa: 1 Time
scs: 1 Time
sdtdserver: 1 Time
starbound: 1 Time
test_ftp: 1 Time
usuario2: 1 Time
webuser: 1 Time
wei: 1 Time
zhanglei: 1 Time
Users logging in through sshd:
root:
185.140.212.136: 2 Times
Received disconnect:
[preauth]
221.131.165.23 : 162 Time(s)
221.131.165.56 : 83 Time(s)
Bye Bye [preauth]
1.116.101.225 : 39 Time(s)
1.116.237.80 : 70 Time(s)
1.117.147.110 : 31 Time(s)
disconnected by user [preauth]
34.136.86.240 : 14 Time(s)
**Unmatched Entries**
error: Protocol major versions differ: 2 vs. 1 : 2 Times
error: kex protocol error: type 30 seq 1 [preauth] : 2 Times
error: kex_exchange_identification: Connection closed by remote host : 48 Times
error: kex_exchange_identification: banner line contains invalid characters : 7 Times
error: kex_exchange_identification: client sent invalid protocol identifier "" : 1 Time
error: kex_exchange_identification: client sent invalid protocol identifier "214#" : 1 Time
error: kex_exchange_identification: read: Connection reset by peer : 13 Times
error: send_error: write: Connection reset by peer : 1 Time
message repeated 2 times: [ Failed password for root from 221.131.165.23 port 10780 ssh2] : 1 Time
message repeated 5 times: [ Failed password for root from 34.136.86.240 port 60426 ssh2] : 1 Time
---------------------- SSHD End -------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 9.8G 5.7G 3.8G 61% /
---------------------- Disk Space End -------------------------
###################### Logwatch End #########################About this document
This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.