Networking

Unix and Linux network configuration. Multiple network interfaces. Bridged NICs. High-availability network configurations.

Applications

Reviews of latest Unix and Linux software. Helpful tips for application support admins. Automating application support.

Data

Disk partitioning, filesystems, directories, and files. Volume management, logical volumes, HA filesystems. Backups and disaster recovery.

Monitoring

Distributed server monitoring. Server performance and capacity planning. Monitoring applications, network status and user activity.

Commands & Shells

Cool Unix shell commands and options. Command-line tools and application. Things every Unix sysadmin needs to know.

Home » Commands & Shells, Security

Login Monitor

Submitted by on March 6, 2015 – 12:02 am

Sometimes after a couple of beers I start feeling paranoid. I make sure the door is locked and check my firewall logs. Here’s a very basic script to monitor your server’s login record and notify you about logins from unknown sources. It’s nothing fancy, but it gets the jobs done.

The first time you run the script, it will profile /var/log/wtmp and build a /var/adm/bin/last_mon_allowed.txt file containing the source addresses of all previous logins. It is assumed that every one of those addresses is allowed and no alerts will be sent out during the first run. The file will look something like this:

#this_line:192.168.22.149
#this_line:ext.yourcompany.com
#this_line:192.168.22.141
#this_line:166.120.31.40
#this_line:166.120.31.60

From that moment forward, every time you run the script, it will notify you of any logins coming from an address not yet listed in last_mon_allowed.txt. After sending out a notification, the script will add the new address the last_mon_allowed.txt file. This way you will not receive any duplicate notifications.

If you save this script as /var/adm/bin/last_mon.sh, you can add the following cron job to monitor your logins every half hour from 9am to 7pm, Mon-Fri. This should be sufficient if you’re one of those people who don’t like being bothered.

*/30 9-19 * * 1-5 /var/adm/bin/last_mon.sh >/dev/null 2>&1

And here’s the script:
#!/bin/bash
# Monitor logins and notify about unknown IPs
# 01001011 01110010 01100001 01111010 01111001 
# 01010111 01101111 01110010 01101011 01110011

configure() {
	this_host=$(hostname | awk -F'.' '{print $1}')
	this_script=$(basename "$(test -L "$0" && readlink "$0" || echo "$0")")
	base_dir="/var/adm/bin"
	if [ ! -d "${base_dir}" ] ; then mkdir -p "${base_dir}" ; fi
	allowed_list="${base_dir}/last_mon_allowed.txt"
	if [ ! -r "${allowed_list}" ] ; then touch "${allowed_list}" ; f=1 ; c=10000 ; else f=0 ; c=20 ; fi 
	
	subject="Unknown login on ${this_host}"
	email="your_email@domain.com"
}

monitor() {
	last -${c} | egrep -v "system boot" | egrep -E "[a-zA-Z0-9]{1,20}\.[a-zA-Z0-9]{1,20}.*\.[a-zA-Z0-9]{1,4}" | while read line
	do
		u=$(echo "${line}" | awk '{print $1}')
		a=$(echo "${line}" | awk '{print $3}' )
		t=$(echo "${line}" | awk '{$1=$2=$3=""; print $0}' | sed -e 's/^[ \t]*//')
		
		if [ `grep -c "^#this_line:${a}$" "${allowed_list}"` -eq 0 ]
		then
			if [ ${f} -eq 1 ]
			then
				echo "#this_line:${a}" >> "${allowed_list}"
			else
				echo "Unknown login to ${this_host} by ${u} from ${a} on ${t}" | mailx -s "${subject}" "${email}"
				echo "#this_line:${a}" >> "${allowed_list}"
			fi
		fi
	done
}

# RUNTIME
configure
monitor

 

Print Friendly, PDF & Email

Leave a Reply