Swatch as normal user

Hello! Gotta say that section6 saved me again. I enabled SSH on my FreeBSD 6 server so I can work from home during the weekend. Got my stuff from the office and walked home. I logged in and was amazed that in just one hour I was already scanned twice and also had a brute force hack attempt. I followed the swatch+pf tutorial in here, but I'm a bit unconfortable running swatch as root. I don't know, I'm new to UNIX, but every document I read adivsed to run as few programs as possible using root. So I started experimenting: Created user swatch: swatch:*:1001:1001::0:0:Swatch Log Watcher:/home/swatch:/usr/sbin/nologin I also passed -D to adduser so it doesn't create a home folder. Edited /etc/rc.conf: swatch_enable="YES" swatch_rules="1" swatch_1_flags="--config-file=/etc/swatch/.swatchrc1 --script-dir=/etc/swatch --tail-file=/var/log/all.log --awk-field-syntax --daemon --pid-file=/etc/swatch/swatch1.pid" swatch_1_user="swatch" swatch_1_pid="/etc/swatch/swatch1.pid" I've put the pid file in /etc/swatch because I got some error about not being able to write to /var/run. Edited /etc/swatch/.swatchrc1: #Look for bad ssh attempts, if found, block them! watchfor /Invalid user/ exec "/etc/swatch/addblock $10" mail addresses=me\@yahoo.com, subject=SSH hacker blocked # monitor interactive logins watchfor /Accepted keyboard/ mail addresses=me\@yahoo.com, subject=Interactive login I had to escape the @ character here, because swatch doesn't escape it in the perl script it generates and I get an error. Created the addblock script as in the tutorial. Then I set permissions for /etc/swatch/ #chown -R swatch /etc/swatch #chmod -R 740 /etc/swatch Edited /etc/syslog.conf and uncommented this line: *.* /var/log/all.log #echo "" > /var/log/all.log #chmod 644 /var/log/all.log Here I have a problem. After the log grows, it is archived to all.log.0.bz2 and a new all.log is created with 600 perms. Because of this tail can't read the log anymore and swatch stops. Where can I alter this behaviour ? Also, is it safe to give read permission to everyone for all.log ? Or should I chown it to swatch ? Will that break anything ? Another issue is that after an IP is added to the hackers table it won't take effect only after a reboot. The addblock script gets executed, because I can see the blocked IP in /etc/swatch/hackers. In attempting to figure out what's not going right with pfctl I installed sudo and did: #sudo -u swatch pfctl -t hackers -T show pfctl: /dev/pf: Permission denied #ls -lh /dev | grep pf crw------- 1 root wheel 0, 98 Mar 12 01:31 pf Now I'm really not sure if I should alter permissions for this. So my final question is: Is it worth the trouble of running swatch as non-root ? Best regards, Galanton Peter