?
Solved

Alert when user root attempts an invalid login

Posted on 2003-02-26
9
Medium Priority
?
248 Views
Last Modified: 2013-12-06
We have a few red hat servers running either 6.2 or 7.3.  My boss has asked to be alerted if someone attempts to login as root and it is invalid.  He would like this in an email.  I know the /var/logs/messages has the information in there about logins, but how would I ever make it work?  I thought about a perl script, but I am not that verse in it.  Anyone knows of some sneaky script out there, or a monitoring software that can do this?

Thanks

Rob Freeman
0
Comment
Question by:freemancr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 2

Expert Comment

by:ryanf
ID: 8026787
Check out this site...
 
http://bb4.com/

You can use Big Brother to watch your syslog and trigger an event based on what it see's...

also check out this site...

http://www.netplex-tech.com/software/nocol/

This should get you started....

Hope this helped!

-Ryan
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 8026915
First, if your boss is interested in security, he should upgrade the 6.2 systems to 7.3 or later.

And the systems should be locked down . You can find good information securely configuring linux systems at www.bastille-linux.org. The Center for Internet Security (www.cisecurity.org) is also planning to release guidelines for Linux securely configuring Linux systems within the next couple of months, though they're not out yet.

When you're finished with the basics, then you can look at fancier stuff.

For example, the Linux IDS project (www.lids.org) has some interesting software for detecting break-ins on Linux systems.

But if you want something more akin to your boss' original idea, check out Swatch (swatch.sourceforge.net), or check www.loganalysis.org for pointers to other tools.
0
 
LVL 20

Accepted Solution

by:
Gns earned 600 total points
ID: 8027012
I've done similar things in the past (although that was to "filter out" specific remote-log entries that didn't have ... separate facility/severity...
What I'd do is somthing like this:
Add this to /etc/syslog.conf

auth.notice |/var/log/authfifo

to make syslog write the pam_unix/authentication messages to a named pipe (fifo) file.
Then make a little script that continually reads lines from that pipe, "trawling" for those where user=root. Have the script start from the rc-scripts (preferably near the start/stop of syslogd.
The script could look something like:
#!/usr/bin/perl
use Net::SMTP;
sub mail_boss(@) {};
for(;;) {
  close(R);
  open(R,"</var/log/nokia") || die "Couldn't open FIFO!\n";
  while($_=<R>) {
    /user=root/ && mail_boss("$_");
  }
}

sub mail_boss($) {
    my(@message) = @_;
    my($message) = join('',@message);

    my $smtp = Net::SMTP->new('mailserver.mydomain.wherever');

    $smtp->mail('postmaster@mydomain.wherever');
    $smtp->to("myboss@mydomain.wherever");

    $smtp->data();
    $smtp->datasend("From: postmaster\@mydomain.wherever\n");
    $smtp->datasend("To: myboss@mydomain.wherever\n");
    $smtp->datasend("Subject: AUTOSENT: Possible intrusion attempt\n");
    $smtp->datasend("\n");
    $smtp->datasend("Message follows:\n\n$message\n");
    $smtp->datasend(".\n");
    $smtp->dataend();

    $smtp->quit;
}
# End of script

Be sure to change the domain/email addresses in the above to suit you:-).

-- Glenn
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 20

Expert Comment

by:Gns
ID: 8027028
Silly me. Chris (and Ryan) are correct, you should of course use a proper IDS:-).

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 8027062
Ooops, typo in the script (guess who makes the equipment that needed my original take on it;-):
open(R,"</var/log/nokia") || die "Couldn't open FIFO!\n";
should of course match what you put in /etc/syslog.conf, so change it to read
open(R,"</var/log/authfifo") || die "Couldn't open FIFO!\n";

-- Glenn (you still should look at a true IDS system)
0
 
LVL 2

Expert Comment

by:ryanf
ID: 8027363
Check out this site...
 
http://bb4.com/

You can use Big Brother to watch your syslog and trigger an event based on what it see's...

also check out this site...

http://www.netplex-tech.com/software/nocol/

This should get you started....

Hope this helped!

-Ryan
0
 
LVL 2

Expert Comment

by:ryanf
ID: 8027475
Sorry didn't mean to double post :) Hit the wrong button...

-Ryan
0
 

Author Comment

by:freemancr
ID: 8027532
Thanks for all the information.  For the time being, the script will work, but I will look into some other options in the long run.

Rob
0
 
LVL 20

Expert Comment

by:Gns
ID: 8031909
Yet another goof in the script....

sub mail_boss($) {
...

should have been

sub mail_boss(@) {
...

The dangers of combining two scripts (which work OK individually) without testing;-).
Should be OK now though...

The benefits of a true IDS system goes far beyond what this little hack can do, so it's great to hear that you will be looking into it.

-- Glenn
0

Featured Post

How To Reduce Deployment Times With Pre-Baked AMIs

Even if we can't include all the files in the base image, we can sometimes include some of the larger files that we would otherwise have to download, and we can also sometimes remove the most time-consuming steps. This can help a lot with reducing deployment times.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month11 days, 8 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question