Saturday, January 2, 2016

Logwatch for a Ubuntu 14.04 public-facing SSH sever

The following post will show you how to set up Logwatch on a Ubuntu machine with a public facing SSH server, so that every day you are e-mailed a daily summary of stats, as per the screenshot below.  In a separate blog post, I will include a very easy mechanism to block the offending IP addresses of repeated failed logins.  This might all sound very daunting, but it is in fact, very easy to set up.  So without further ado, let's get started.

This post assumes that you are dealing with a public-facing SSH server.  That is, a small or home office Ubuntu machine which you are able to ssh into from the outside world.

This post will also assume you are using Ubuntu 14.04.x LTS.  The advice contained within this post may also work for other Ubuntu versions.

If you are not already running an SSH server on your Ubuntu machine, it's very easy to get it up and running;

sudo apt-get install openssh-server

After it finishes installing, your system will automatically get it up and running (without rebooting).  You can check for the existence of a running server with a simple grep.

ps aux | grep sshd
root      6958  0.1  0.1  61372  5048 ?  Ss   15:02   0:00 /usr/sbin/sshd -D

Note: The rest of this post assumes you can ssh into your machine from the outside world.  For example, you should be able to ssh into your machine using an app your mobile device.  If you can't, then there's something blocking your Ubuntu machine from being accessible to the outside world, and you'll need to address that problem before continuing with the rest of this post.  If your Ubuntu machine resides at home behind an ISP-provided router, you will most likely need to research what port forwarding is, and learn how to set that up on your home router.

Your SSH server's configuration file (config file) lives at /etc/ssh/sshd_config.  There are various options you can set here such as changing the listening port, allowing or disallowing root logins, and so on.  You can look at man sshd_config or google for "sshd_config options" for more info.  Every time you edit this file you will need to restart your SSH server.

sudo service ssh restart


rsyslog is the system logger which comes with Ubuntu by default.  You'll want to modify its configuration file so that it redirects all messages related to your SSH server to a separate log file.

Add the following line (anywhere) to your /etc/rsyslog.d/50-default.conf:

# Redirect sshd messgaes
if $programname == 'sshd' then /var/log/sshd/sshd.log

Every line beginning with a hash is a comment.  After modifying the file, restart the service.

sudo service rsyslog restart

After that, you'll notice that every time you try to remotely log in to your Ubuntu machine via ssh, bungle the username or password, disconnect from the server, start, stop or restart the sshd service, some diagnostic messages will appear in /var/log/sshd/sshd.log.

For a while, these messages might seem informative and and useful, but over time the messages will grow out of control and be too cumbersome to manage and analyze.  This is where logwatch comes in handy.

 sudo apt-get install logwatch

When it comes up with a graphical prompt, choose "Internet Site", as we will later be using SMTP.  Change the System Mail Name to any name of your choosing.  You can choose a name which describes your machine.  Use your favourite text editor to create the file /etc/logwatch/conf/logfiles/sshd.conf.  This file only needs to contain one line:

Logfile = /var/log/sshd/sshd.conf

Now open the following file with your editor:

In that file you'll find a section starting with "Service = All".  Comment out all the "Service =" lines (including Service = All) and add in your own line at the bottom, just for our ssh server;

Service = "sshd"

Also change the line #mailer = "/usr/sbin/sendmail -t" to mailer = "/usr/sbin/sendmail" (we will install this program in the next section).

The range parameter should be set to to 'today', the MailTo should be the name of your email address, and and MailFrom can be anything.

As you might recall from the beginning of the post, logwatch e-mails you an easy-to-digest summary of the logfiles on your system which your system logger produces.  For this, logwatch is going to need a way to send out emails.  The next section details this.  For reasons which will become apparent soon, you will need to set yourself up a fresh email account (in this post I will be using a Gmail account).

Proceed to install an SMTP (Simple Mail Transfer Protocol) client on your machine;

 sudo apt-get install ssmtp

Now edit the configuration file, /etc/ssmtp/ssmtp.conf.  Delete all the lines and start over, like so:
'root' should be replaced with your email address, and so on.  During this step, you're going to be entering in your password as raw text.  So as I mentioned in the previous section, it's safest to open a new e-mail account dedicated just for logwatching.  Save and close the file.

Test your setup
At this point everything should be up and running.  Execute the following line from your terminal (no root permissions required), and within a few seconds, you should receive an email on your designated logwatch email account.

# /usr/sbin/logwatch --mailto

If you don't receive any e-mail, make sure there's some activity during "today" inside your /var/log/sshd/sshd.log file.  Generate some activity by (eg. by logging in and logging out remotely), and then after that, execute the above command again.

If the above command works and you do receive and e-mail, there's nothing left for you to do.  Every day at a fixed time (or whenever you power on your machine), you will receive an e-mail generated by logwatch and sent by ssmtp which will look like the example at the beginning of this post.