?
Solved

Alert when user root attempts an invalid login

Posted on 2003-02-26
9
Medium Priority
?
251 Views
Last Modified: 2013-12-06
We have a few red hat servers running either 6.2 or 7.3.  My boss has asked to be alerted if someone attempts to login as root and it is invalid.  He would like this in an email.  I know the /var/logs/messages has the information in there about logins, but how would I ever make it work?  I thought about a perl script, but I am not that verse in it.  Anyone knows of some sneaky script out there, or a monitoring software that can do this?

Thanks

Rob Freeman
0
Comment
Question by:freemancr
9 Comments
 
LVL 2

Expert Comment

by:ryanf
ID: 8026787
Check out this site...
 
http://bb4.com/

You can use Big Brother to watch your syslog and trigger an event based on what it see's...

also check out this site...

http://www.netplex-tech.com/software/nocol/

This should get you started....

Hope this helped!

-Ryan
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 8026915
First, if your boss is interested in security, he should upgrade the 6.2 systems to 7.3 or later.

And the systems should be locked down . You can find good information securely configuring linux systems at www.bastille-linux.org. The Center for Internet Security (www.cisecurity.org) is also planning to release guidelines for Linux securely configuring Linux systems within the next couple of months, though they're not out yet.

When you're finished with the basics, then you can look at fancier stuff.

For example, the Linux IDS project (www.lids.org) has some interesting software for detecting break-ins on Linux systems.

But if you want something more akin to your boss' original idea, check out Swatch (swatch.sourceforge.net), or check www.loganalysis.org for pointers to other tools.
0
 
LVL 20

Accepted Solution

by:
Gns earned 600 total points
ID: 8027012
I've done similar things in the past (although that was to "filter out" specific remote-log entries that didn't have ... separate facility/severity...
What I'd do is somthing like this:
Add this to /etc/syslog.conf

auth.notice |/var/log/authfifo

to make syslog write the pam_unix/authentication messages to a named pipe (fifo) file.
Then make a little script that continually reads lines from that pipe, "trawling" for those where user=root. Have the script start from the rc-scripts (preferably near the start/stop of syslogd.
The script could look something like:
#!/usr/bin/perl
use Net::SMTP;
sub mail_boss(@) {};
for(;;) {
  close(R);
  open(R,"</var/log/nokia") || die "Couldn't open FIFO!\n";
  while($_=<R>) {
    /user=root/ && mail_boss("$_");
  }
}

sub mail_boss($) {
    my(@message) = @_;
    my($message) = join('',@message);

    my $smtp = Net::SMTP->new('mailserver.mydomain.wherever');

    $smtp->mail('postmaster@mydomain.wherever');
    $smtp->to("myboss@mydomain.wherever");

    $smtp->data();
    $smtp->datasend("From: postmaster\@mydomain.wherever\n");
    $smtp->datasend("To: myboss@mydomain.wherever\n");
    $smtp->datasend("Subject: AUTOSENT: Possible intrusion attempt\n");
    $smtp->datasend("\n");
    $smtp->datasend("Message follows:\n\n$message\n");
    $smtp->datasend(".\n");
    $smtp->dataend();

    $smtp->quit;
}
# End of script

Be sure to change the domain/email addresses in the above to suit you:-).

-- Glenn
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 20

Expert Comment

by:Gns
ID: 8027028
Silly me. Chris (and Ryan) are correct, you should of course use a proper IDS:-).

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 8027062
Ooops, typo in the script (guess who makes the equipment that needed my original take on it;-):
open(R,"</var/log/nokia") || die "Couldn't open FIFO!\n";
should of course match what you put in /etc/syslog.conf, so change it to read
open(R,"</var/log/authfifo") || die "Couldn't open FIFO!\n";

-- Glenn (you still should look at a true IDS system)
0
 
LVL 2

Expert Comment

by:ryanf
ID: 8027363
Check out this site...
 
http://bb4.com/

You can use Big Brother to watch your syslog and trigger an event based on what it see's...

also check out this site...

http://www.netplex-tech.com/software/nocol/

This should get you started....

Hope this helped!

-Ryan
0
 
LVL 2

Expert Comment

by:ryanf
ID: 8027475
Sorry didn't mean to double post :) Hit the wrong button...

-Ryan
0
 

Author Comment

by:freemancr
ID: 8027532
Thanks for all the information.  For the time being, the script will work, but I will look into some other options in the long run.

Rob
0
 
LVL 20

Expert Comment

by:Gns
ID: 8031909
Yet another goof in the script....

sub mail_boss($) {
...

should have been

sub mail_boss(@) {
...

The dangers of combining two scripts (which work OK individually) without testing;-).
Should be OK now though...

The benefits of a true IDS system goes far beyond what this little hack can do, so it's great to hear that you will be looking into it.

-- Glenn
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension . This reminded me of questions that come up here at EE along the lines of, "How can I tell the type of file from its cont…
Welcome back to our beginners guide of the popular Unix tool, cron. If you missed part one where we introduced this tool, the link is below. We left off learning how to build a simple script to schedule automatic back ups. Now, we’ll learn how to se…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month8 days, 23 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question