The sys admin’s daily grind: login mail

SPYGLASS

Author(s):

Charly often gets suggestions and ideas for his column at community get-togethers. Last week, he picked up a tip for an early warning system that quickly secures login attempts.

Some servers I don’t log in to for weeks on end. On machines like this, the danger of intruders being able to log in without my noticing is fairly high. And if attackers do manage to crack open a victim’s computer, they will do everything they can to cover their tracks. This includes removing all traces of the login from the logs, which makes it more or less impossible to ascertain the exact time of the attack and – what’s more important – the attacker’s IP.

Read full article as PDF:

055-055_charly.pdf (1.45 MB)

Related content

  • LUG Camp 2010

    From the Lower Rhine to Central Franconia, on his journey, Charly found beaten gold, relaxed Linux users, abandoned beer cellars, and a Python one-liner for presentable photos of the tour. A once-in-a-year experience.

  • Charly's Column

    Users log on to services such as SSH, ftp, SASL, POP3, IMAP, Apache htaccess, and many more using their names and passwords. These popular access mechanisms are a potential target for brute-force attacks. An attentive bouncer will keep dictionary attacks at bay.

  • Charly’s Column: w3af

    After toiling away to create a small but exclusive website, Charly wanted to run a security scanner against it to check for vulnerabilities. The choice of tools is enormous, but Charly chose w3af.

  • Charly’s Column: PortSentry

    To celebrate 10 years of his column, Charly sets up a sensitive detector that measures the cosmic background radiation of the Internet.

  • Charly’s Column: Cluster SSH

    Charly doesn’t relish the idea of searching through the logfiles of a dozen proxy servers when page requests fail. Now that he has deployed Cluster SSH, he can pull the strings on many machines at the same time.

Comments

  • SFTP clients?

    This works fine for a standard SSH login from another linux host or a windows host running putty, however I noticed it does not log anything if a user is logging in with a SFTP client package such as Filezilla or any other sftp gui application. I noticed this by mistake when looking at the login (auth) logs on a server.

    Can someone advise why this is and how I can capture all logins no matter what the medium is?

    Thanks
    Keith
  • Little bug when invoke mail command

    I found a little bug on your code, instead of using who and pipe stout to mail command, if there are more than one users logged, mail command not works, due to new line characters, so i changed your code to this:

    echo 'Login on' `hostname` `date` \
    `who` | mail -s "Login on `hostname` \
    `who |sort -k 3,4 -r | head -1 | awk '{print $5}'`" \
    amedeo.salvati@gmail.com

    ciao
    amedeo
comments powered by Disqus

Direct Download

Read full article as PDF:

055-055_charly.pdf (1.45 MB)

News