Monitor all login attempts

ssh security logs login
29,948

Solution 1

Don't reinvent the wheel, let rsyslog do everything for you. It has the ability to send emails when patterns are matched in syslog messages before they ever hit a file.

Set your email address and SMTP server in the following and put it in your /etc/rsyslog.conf or drop it in /etc/rsyslog.d/ and restart rsyslog

$ModLoad ommail
$ActionMailSMTPServer localhost
$ActionMailFrom [email protected]
$ActionMailTo [email protected]
$template mailSubject,"Login Alert on %hostname%"
$template mailBody,"\n\n%msg%"
$ActionMailSubject mailSubject
$ActionExecOnlyOnceEveryInterval 1
# the if ... then ... mailBody mus be on one line!
if $msg contains 'session opened for user' then :ommail:;mailBody

This will fire off an email when rsyslog matches the string session opened for user in a message.

You can look in /var/log/auth.log for messages from sshd to see what else you can use as patterns.

Source: rsyslog ommail

Solution 2

First, you should not rely on user's .profile because they can change it. If it's really your server, you could:

  • test for entries in auth.log, utmp or so periodically (or triggered by inotify)
  • write a wrapper for /bin/login, that does your things and then executes the real /bin/login. (I am not quite sure if e.g. ssh executes /bin/login, but I expect so.) But I can't recommend that - it's too dangerous.

Solution 3

/var/log/auth.log

Keep track of attempts to your system

cat /var/log/auth.log grep sshd.\*Failed

this can grep failed attempts, also timestamps is available so you can tune it to your script, also maybe with 

tail -f /var/log/auth.log

you can trace input all the time and then do some regexp.

Solution 4

I like @creek's solution from above, but with one small change:

if $msg contains 'session opened for user' then :ommail:;mailBody`

to

if $msg contains 'sshd:session' then :ommail:;mailBody`

If you simply use "session opened for user" you will get a message every time your cronjobs fire. For me at least, I just want to monitor SSH. You could adjust the conditional above to suit any other need.

Solution 5

Following @Creek answer; With rsyslog, to match multiple users (not the best implementation and can be probably replaced with regex, but it works)

$ModLoad ommail
$ActionMailSMTPServer localhost
$ActionMailFrom [email protected]
$ActionMailTo [email protected]
$template mailSubject,"Login alert on %hostname%"
# mailBody must be on one line!
$template mailBody,"\n\n%msg%"
$ActionMailSubject mailSubject
$ActionExecOnlyOnceEveryInterval 1

if $msg contains 'session opened for' then {
        if $msg contains 'USER1' then :ommail:;mailBody

        # Repetition required (did not investigate why)
        $ActionMailSMTPServer localhost
        $ActionMailFrom [email protected]
        $ActionMailTo [email protected]
        $template mailSubject,"Login alert on %hostname%"
        $template mailBody,"\n\n%msg%"
        $ActionMailSubject mailSubject
        $ActionExecOnlyOnceEveryInterval 1

        if $msg contains 'USER2' then :ommail:;mailBody
}
Share:
29,948

Related videos on Youtube

Aditi Rawat
Author by

Aditi Rawat

http://careers.stackoverflow.com/pablofph from numpy import * n = 20 a = transpose(tril(ones((n+1,n+1)))) b = copy(a) for i in xrange(n): b = dot(b,a) print(b[0,n])

Updated on September 18, 2022

Comments

  • Aditi Rawat
    Aditi Rawat over 1 year

    Few weeks ago I thought it would be a good idea to write a script to send me an email whenever some user logs in into my server.

    So I came with a perfectly working script notifyLogin.sh, then I decided to call it from each user's .bash_login script.

    But I discovered that someone could log in in my server using ssh -t switch to select an available shell. For example:

    ssh user@myserver -t sh

    This way, .bash_login does not execute, neither does /etc/profile.

    Is there any way to call notifyLogin.sh independent of shell type at log in? (It should always work)

  • Chad K
    Chad K almost 10 years
    This doesn't answer OP's question about sending an email when someone logs in
  • Stephen Rauch
    Stephen Rauch about 7 years
    If the exact same answer works for different questions, then it is likely the questions are duplicates. In that case you should flag the duplicate question accordingly.
  • Astm
    Astm over 4 years
    you can use the this command to get specific day ssh access sudo cat /var/log/auth.log | grep sshd | grep 'Oct 10'

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Linux - Log What Username and Password Was Tried
How do I list the N last successful and unsuccessful login attempts for my user when I log in with e.g. ssh on Linux?
How to log commands/logins in linux?
Why won't automatic login through ssh with authorized_keys work?
What audit log files are created in linux to track a users activities?
How can I track who SSH'es into my linux machine?
SSH login with clear text password as a parameter?
How to run specific program with root privileges (Ubuntu OS) when no sudo user log into system?
Rewrite login_check functionality in Symfony
Permission denied (publickey,password). while using ssh to login