CyberMind-FR
3b84c8a047
- Create secubox-auth-logger package to monitor SSH/LuCI auth failures - auth-monitor.sh watches logread for failed password attempts - Supports OpenSSH, Dropbear, and uhttpd/LuCI authentication - Logs failures to syslog with secubox-auth tag for CrowdSec parsing - Fix wizard.js syntax error with computed property names - Remove broken Dropbear verbose config (2024.86 doesn't support -v) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
35 lines
960 B
Bash
35 lines
960 B
Bash
#!/bin/sh
|
|
# SecuBox Auth Logger - Post-install configuration
|
|
# Enables verbose logging for Dropbear and uhttpd
|
|
|
|
# Note: Dropbear 2024.86 does NOT support -v flag
|
|
# Auth monitoring relies on parsing existing syslog messages
|
|
# The auth-monitor.sh script watches logread for auth failures
|
|
|
|
# Enable uhttpd syslog
|
|
if [ -f /etc/config/uhttpd ]; then
|
|
uci set uhttpd.main.syslog='1'
|
|
uci commit uhttpd
|
|
/etc/init.d/uhttpd restart 2>/dev/null
|
|
fi
|
|
|
|
# Create auth failures log file
|
|
touch /var/log/auth-failures.log
|
|
chmod 644 /var/log/auth-failures.log
|
|
|
|
# Add acquisition for CrowdSec if installed
|
|
if [ -d /etc/crowdsec/acquis.d ]; then
|
|
cat > /etc/crowdsec/acquis.d/secubox-auth.yaml << 'EOF'
|
|
# SecuBox Auth Failure Acquisition
|
|
# Reads from /var/log/messages for secubox-auth tagged messages
|
|
filenames:
|
|
- /var/log/messages
|
|
labels:
|
|
type: syslog
|
|
EOF
|
|
# Restart CrowdSec to pick up new acquisition
|
|
/etc/init.d/crowdsec restart 2>/dev/null
|
|
fi
|
|
|
|
exit 0
|