monitoring login

Tue Oct 12 03:52:24 UTC 2010

On 10-10-11 01:52 PM, Fernando Duran wrote:
> Hi,
>
> If someone can create a new user account then the system is rooted and we got
> bigger problems. I guess other (non-Bash) shells can be disabled in the server
> and changes in /etc/passwd monitored (to detect new users) so that this loophole
> that Chris mentions is plugged (but there may be other workarounds).
>
> In any case you can also install 'logwatch' or similar, it can be configured to
> send a daily email with a summary of activities like shell logins and system
> status like disk space etc. This is a quick and easy solution (apt-get or yum
> install logwatch).
>
> Or if you just want the email when there's a login, probably you can use
> 'inotify' and trigger the email when it detects a change in the /var/log/wtmp
> (login) log file, or perhaps it's easier to do with 'monit' (I haven't tried
> either option for this case).
>
> Also note that this 'login warning' won't notify you when there's a security
> breach in an application (for example a web app). So while it's an easy-to-do,
> nice-to-have feature I wouldn't make it a critical part of a system's security.
>
> Cheers,
>   ---------------------
> Fernando Duran
> http://www.fduran.com
>
>
>
> ----- Original Message ----
>> From: Chris F.A. Johnson<chris-E7bvbYbpR6jSUeElwK9/Pw at public.gmane.org>
>> To: tlug-lxSQFCZeNF4 at public.gmane.org
>> Sent: Mon, October 11, 2010 12:36:57 PM
>> Subject: Re: [TLUG]: monitoring login
>>
>> On Mon, 11 Oct 2010, Jamon Camisso wrote:
>>
>>> On 10/11/2010 02:19 AM,  Rajinder Yadav wrote:
>>>> On 10-10-10 10:58 AM, Fernando Duran  wrote:
>>>>> Hi,
>>>>>
>>>>> I do this actually  in my servers, by adding this line to /etc/profile:
>>>>>
>>>>>    echo "`whoami` logged in at `date` from `echo  $SSH_CLIENT`" | mail -s
>>>>> "`hostname` login" me-hcDgGtZH8xNBDgjK7y7TUQ at public.gmane.org
>>>>
>>>> i want  something that will work from any account, even if someone
>>>> creates a  new account for a backdoor
>>>>
>>>> what i would like is a way  to monitor a login even systemwide and then
>>>> have a script execute to  fire off an email
>>>
>>> That's exactly what Fernando's line does.  Since /etc/profile is read by
>>> all valid login shells, it effectively  works for any account.
>>
>>       It is not read by  [t]csh.
>>
>> --    Chris F.A. Johnson,<http://cfajohnson.com>
>>     Author:
>>     Pro Bash  Programming: Scripting the GNU/Linux Shell (2009, Apress)
>>     Shell  Scripting Recipes: A Problem-Solution Approach (2005, Apress)
>> --

both inotify and monit look exactly like the the tools I can use to do 
what I want! this has got me thinking about a whole array of monitoring 
tools =P and once I can wrap my noodle brain around it I'm going to hack 
together a ruby script and possibly a ruby plugin. it would be easy to 
extend an idea with a web-interface, if the interval are large enough 
one can throw stats into a database and monitor for trends, meta 
changes, and do data (intrusion) mining! for example, if part of the 
system is off-limits for write access due to a policy and there is write 
activity this could be recovered later from a (activity) database as a 
rudimentary form of system forensic and it would help to track down 
files and areas that may have been compromised.

one of the things I've been playing with is twitter, so one can get 
realtime tweet alerts without the need to have a mail server setup to 
send out mail, etc. all you need is REST access to the web via http get/post

this is cool enough to try just for the fun of it =)

we'll i started to dig around into this a bit and there seems to be a 
GOD monitoring tool for the Ruby community that makes a lazy hacker's 
life easy, if anyone is interested in knowing even for the sake of 
recommending a solution to others, here are some links:

http://god.rubyforge.org/

http://thewebfellas.com/blog/2008/2/12/a-simple-faith-monitoring-by-god

here is also a good write up on using inotify in C for those who love to 
compile, link and work with makefiles =P

http://www.linuxjournal.com/article/8478

-- 
Kind Regards,
Rajinder Yadav | DevMentor.org | Do Good! ~ Share Freely
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists