From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jeff Largent Subject: Re: login attempts Date: Thu, 10 Apr 2003 11:22:03 -0400 Sender: linux-admin-owner@vger.kernel.org Message-ID: <3E958C1B.3080508@imagelinks.com> References: <5.1.1.6.0.20030410072747.00af4030@mustang> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5.1.1.6.0.20030410072747.00af4030@mustang> List-Id: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Scott Taylor , linux-admin Just a thought but how about a perl script that tails /var/log/secure looking for failed login and then emails that to the SysAdmin. #!/usr/bin/perl -w use strict; my $email = "sysadmin@work.bites" my $logfile = "/var/log/secure"; open(LOG, $logfile); for(;;) { while () { if( m/Failed/ ) { system("mailto $email -S \"Failed Login\" $_ ~."; } } sleep 15; seek(LOG, 0, 1); } Probley won't run but you get the idea. You could replace the system call with something else from a perl module. Jeff Scott Taylor wrote: > Hello all, > > I know I can find login attempts in the /var/log files. Does anyone > know of a way to tell ssh2d to send an email to the SysAdmin on failed > login attempts? > > I tried with a script /bin/warn: > #!/bin/bash > mail -s "$LOGNAME" root < User $LOGNAME attempted to log in at: > `date` > From: $SSH_CLIENT > EOF > exit 0 > > which works fine from the command line, but not always (most of the > time) from a login attempt when the users shell is /bin/warn. > > Output, when it works, looks like this: > > Subject: scott > > User scott attempted to log in at: > Thu Apr 10 07:25:06 PDT 2003 > From: 192.168.99.65 3421 22 > > Cheers > > Scott. > > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- Jeff Largent ImageLinks, Inc. Sr System Admin Melbourne, Fl 32935 (321) 253-0011 fax: (321) 253-5559