login attempts

login attempts

[Scott Taylor]

Hello all,

I know I can find login attempts in the /var/log files.   Does anyone know 
of  a way to tell ssh2d to send an email to the SysAdmin on failed login 
attempts?

I tried with a script /bin/warn:
#!/bin/bash
mail -s "$LOGNAME" root <<EOF
User $LOGNAME attempted to log in at:
`date`
From: $SSH_CLIENT
EOF
exit 0

which works fine from the command line, but not always (most of the time) 
from a login attempt when the users shell is /bin/warn.

Output, when it works, looks like this:

Subject: scott

User scott attempted to log in at:
Thu Apr 10 07:25:06 PDT 2003
From: 192.168.99.65 3421 22

Cheers

Scott.

Re: login attempts

[Adam T. Bowen]

> I know I can find login attempts in the /var/log files.   Does anyone know 
> of  a way to tell ssh2d to send an email to the SysAdmin on failed login 
> attempts?

[snip]

If you are using the TCP/IP daemon wrappers (libwrap) then you can put 
this :

ALL : ALL : spawn (/bin/warn %a %A %d %n %N %u)

in your hosts.deny (usually in /etc).  The expansions that you can pass to 
your script are listed in man 5 hosts_access.

Cheers

Adam Bowen

Re: login attempts

[Jeff Largent]

Just a thought but how about a perl script that tails /var/log/secure
looking for failed login and then emails that to the SysAdmin.

#!/usr/bin/perl -w

use strict;
my $email = "sysadmin@work.bites"
my $logfile = "/var/log/secure";

open(LOG, $logfile);
for(;;) {
    while (<LOG>) {
       if( m/Failed/ ) {
          system("mailto $email -S \"Failed Login\" $_ ~.";
       }
    }
    sleep 15;
    seek(LOG, 0, 1);
}

Probley won't run but you get the idea.  You could replace
the system call with something else from a perl module.

Jeff

Scott Taylor wrote:
> Hello all,
> 
> I know I can find login attempts in the /var/log files.   Does anyone 
> know of  a way to tell ssh2d to send an email to the SysAdmin on failed 
> login attempts?
> 
> I tried with a script /bin/warn:
> #!/bin/bash
> mail -s "$LOGNAME" root <<EOF
> User $LOGNAME attempted to log in at:
> `date`
> From: $SSH_CLIENT
> EOF
> exit 0
> 
> which works fine from the command line, but not always (most of the 
> time) from a login attempt when the users shell is /bin/warn.
> 
> Output, when it works, looks like this:
> 
> Subject: scott
> 
> User scott attempted to log in at:
> Thu Apr 10 07:25:06 PDT 2003
> From: 192.168.99.65 3421 22
> 
> Cheers
> 
> Scott.
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 

-- 
Jeff Largent                   ImageLinks, Inc.
Sr System Admin                Melbourne, Fl 32935
(321) 253-0011                 fax: (321) 253-5559

Re: login attempts

[Scott Taylor]

At 08:22 AM 4/10/03, you wrote:
>Just a thought but how about a perl script that tails /var/log/secure
>looking for failed login and then emails that to the SysAdmin.

That's interesting Jeff,

for that matter I could pipe "tail -f /var/log/secure" through a sed 'n' 
awk script, but maybe not.  Although, I'm not really looking for failed 
login or !failed login attempts only any login attempts.

Setting the shell to /bin/false works well to keep normal users out, also 
setting the shell to my /bin/warn keeps them out, just doesn't always send 
the mail.

Cheers.

Re: login attempts

[Jay Goodman]

I did something similar with and iptables log a while back.
If you decide to take this approach, (a bit better than the
the perl approach suggested earlier)  when you're snooping on
a log file like that, make sure you use:

tail --follow=name /var/log/secure

Otherwise you maybe a bit confused why your not getting
any 'hits' after /var/log/secure has been rotated.



> At 08:22 AM 4/10/03, you wrote:
>>Just a thought but how about a perl script that tails /var/log/secure
>> looking for failed login and then emails that to the SysAdmin.
>
> That's interesting Jeff,
>
> for that matter I could pipe "tail -f /var/log/secure" through a sed 'n'
>  awk script, but maybe not.  Although, I'm not really looking for failed
>  login or !failed login attempts only any login attempts.
>
> Setting the shell to /bin/false works well to keep normal users out,
> also  setting the shell to my /bin/warn keeps them out, just doesn't
> always send  the mail.
>
> Cheers.
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin"
> in the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
caio,
jay