Geek Answers Handbook

SSH "Login Monitor" for Linux

I am trying to write a script that informs the user when someone is logged in on the machine via ssh.

My current idea is to parse the output of "w" using grep at intervals.

But it is neither elegant nor executive. Has anyone got an idea on how to implement such a program?

Any help would be really appreciated!

+6
linux ssh
source share
6 answers

In Ubuntu (and I assume that all other Debian distributions, if not all Linuces), the /var/log/auth.log file records successful (and unsuccessful) login attempts:

sshd[XXX]: pam_unix(sshd:session): session opened for user XXX

You can configure a very simple monitor with this command (note that you must be root to view the authorization log):

 sudo tail -F /var/log/auth.log | grep sshd
+9
source share

Paul Tomblin has the right offer.

Set up logging in your sshd_config to point to the syslog tool, which you can log separately:

=> see man 3 syslog for more objects. Choose one, for example,

 # Logging SyslogFacility local5 LogLevel INFO

Then configure your syslog.conf as follows:

 local5.info |/var/run/mysshwatcher.pipe

Add the script that you are going to write to / etc / inittab so that it continues to work:

 sw0:2345:respawn:/usr/local/bin/mysshwatcher.sh

then write a script:

 #!/bin/sh P=/var/run/mysshwatcher.pipe test -p $P || mkfifo $P while read x <$P; do # ... whatever, eg: echo "ssh info: $x" | wall done;

Finally, restart your syslogd and restart inittab (init q) and it should work. If you use other variants of these services, you need to configure them accordingly (for example, newsyslogd => /etc/newsyslog.conf; Ubuntu: /etc/event.d isntead of inittab)

This is very rudimentary and lacking, but should be enough for you to start ...

Additional Information: man sshd_config for additional logging / verbosity options.

+13
source share

If you don't care how they logged in (telnet / ssh), the latest Unix command-line utility shows you the last few logins in the machine. Remote users will show IP address

[root @ ex02 www] # last foo pts / 1 81.31.xy Sun Jan 18 07:25 still registered in
foo pts / 0 81.31.xy Sun Jan 18 01:51 is still registered in
foo pts / 0 81.31.xy Sat Jan 17 03:51 - 07:52 (04:00)
bar pts / 5 199.146.xy Fri Jan 16 08:57 - 13:29 (04:32)

+5
source share

Configure the named pipe and configure the log file parser to listen to it and send ssh messages to it. The log file analyzer can do what you want, or send a signal to the daemon.

The redirection of the log file is done in the configuration file in / etc /, whose name eludes me right now. /etc/syslog.conf, I think.

+4
source share

I created a program (which I call Authentication Monitor) that solves the problem described in the question.

If you want it, you can download it more simply to find out how I solve this problem (using log files).

You can find the Authentication Monitor freely available here: http://bwyan.dk/?p=1744

+2
source share

We had the same problem, so we wrote our own script. It can be downloaded from github .

Hope this helps :)

Hooray! Ivan

0
source share

More articles:


All Articles