monitoring login

Fernando Duran liberosec-FFYn/CNdgSA at public.gmane.org
Mon Oct 11 17:52:30 UTC 2010 

Hi,

If someone can create a new user account then the system is rooted and we got 
bigger problems. I guess other (non-Bash) shells can be disabled in the server 
and changes in /etc/passwd monitored (to detect new users) so that this loophole 
that Chris mentions is plugged (but there may be other workarounds).

In any case you can also install 'logwatch' or similar, it can be configured to 
send a daily email with a summary of activities like shell logins and system 
status like disk space etc. This is a quick and easy solution (apt-get or yum 
install logwatch).

Or if you just want the email when there's a login, probably you can use 
'inotify' and trigger the email when it detects a change in the /var/log/wtmp 
(login) log file, or perhaps it's easier to do with 'monit' (I haven't tried 
either option for this case). 

Also note that this 'login warning' won't notify you when there's a security 
breach in an application (for example a web app). So while it's an easy-to-do, 
nice-to-have feature I wouldn't make it a critical part of a system's security.

Cheers,
 ---------------------
Fernando Duran
http://www.fduran.com



----- Original Message ----
> From: Chris F.A. Johnson <chris-E7bvbYbpR6jSUeElwK9/Pw at public.gmane.org>
> To: tlug-lxSQFCZeNF4 at public.gmane.org
> Sent: Mon, October 11, 2010 12:36:57 PM
> Subject: Re: [TLUG]: monitoring login
> 
> On Mon, 11 Oct 2010, Jamon Camisso wrote:
> 
> > On 10/11/2010 02:19 AM,  Rajinder Yadav wrote:
> >> On 10-10-10 10:58 AM, Fernando Duran  wrote:
> >>> Hi,
> >>> 
> >>> I do this actually  in my servers, by adding this line to /etc/profile:
> >>> 
> >>>   echo "`whoami` logged in at `date` from `echo  $SSH_CLIENT`" | mail -s
> >>> "`hostname` login" me-hcDgGtZH8xNBDgjK7y7TUQ at public.gmane.org
> >> 
> >> i want  something that will work from any account, even if someone
> >> creates a  new account for a backdoor
> >> 
> >> what i would like is a way  to monitor a login even systemwide and then
> >> have a script execute to  fire off an email
> > 
> > That's exactly what Fernando's line does.  Since /etc/profile is read by
> > all valid login shells, it effectively  works for any account.
> 
>      It is not read by  [t]csh.
> 
> --    Chris F.A. Johnson, <http://cfajohnson.com>
>    Author:
>    Pro Bash  Programming: Scripting the GNU/Linux Shell (2009, Apress)
>    Shell  Scripting Recipes: A Problem-Solution Approach (2005, Apress)
> --
> The  Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG  requests: Linux topics, No HTML, wrap text below 80 columns
> How to  UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
> 


--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list