Hi,

Please bear in mind that I'm approximately one week into linux so in answering don't assume that I know the obvious.

I hope this is the right forum to post this... I've inherited a production environment with several CentOS machines (and as far as I figured out it should be close enough to RHEL to ask the question here).

I am getting mail (/var/spool/mail) to root with things that logwatch is picking up on. Mainly I saw multiple failed attempts to login to SSH with multiple username (bruteforce). I then tried to "reverse engineer" where it's coming from.
I've found the logwatch script itself under cron.daily, the default config file and the (empty) user config file.

Who decides what logwatch will look for in a log? Is that configurable or hardcoded into logwatch.pl?
Also, been trying to find the source logs for everything under the "--------------------- pam_unix Begin ------------------------" section:

**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user chaya : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user carlota : 1 time(s)

Failed logins from:
59.39.66.30: 44 times
78.31.70.180: 104 times

etc..

Obviously it's all pam. I found the log file at /var/logs/secure, but who is responsible for the summary data in the mail? Is it logwatch? again where is that defined?

One last question regarding security. Where I come from you put your production machines behind some HW firewall and give any sort of access (other than to your apps) only via VPN. I realize that an SSH session is secure, but the machines are just out there open for probing. Should I install a software based VPN (openvpn? other?) and just close everything using iptables? is that a "sound" network configuration? If not like that than how?

Thanks,
DB