-   Linux - Newbie (
-   -   Can I have a script send me an email if a person logs on incorrectly 3 times? (

Rupadhya 10-05-2012 03:40 PM

Can I have a script send me an email if a person logs on incorrectly 3 times?
Hello All,

I was wondering how I would alert if a person misstyped their password 3 times (or if a person was trying to hack into the Linux machine).

Many thanks,

Raj Upadhyaya

schneidz 10-05-2012 03:59 PM

maybe you can periodically read /var/log/secure and if you see something like Failed password for root you can run the mail command.

unSpawn 10-05-2012 05:02 PM

If you want say hourly or daily (use a cron job) mailed reports of items of interest (wrt logins: /var/log/secure, /var/log/audit/audit.log) you could use Logwatch. Else, if it must be after exactly 3 login failures and it must be emailed immediately, then yeah, you should script something. Of course you don't allow root to log in over the network so that's never gonna be an issue, right?

Rupadhya 10-05-2012 09:23 PM

This is what I have coded in a script so far.. It reads the /etc/passwd and gets the name of all the users. It then looks in /var/log/secure for any password violations. If they are greater than 0, It prints the name of the user. I will work on making it check if the password violations were within 5 minutes of each other and automate a mail to the admin. There is probably a more elegant solution to this problem and I welcome any suggestions. I don't log on remotely to root, but I want to see if people are sitting down to the console and trying to log in to any user.
- Raj

#! /bin/bash
readPasswd() {
local y
while read lineInput
for (( ; ; ))
    passwdString=$(echo $lineInput | tr ":" "\n")
    for name in $passwdString
      if [ "$x" -eq "1" ]
      countOfViolations=$(grep "password check failed for user ($name)" \
/var/log/secure  | wc | awk  '{ print $1 }');
      if [ "$countOfViolations" -gt "0" ] 
        then echo $name' '$countOfViolations;
done < /etc/passwd
### Beginning of main program..

unSpawn 10-05-2012 10:30 PM

0) If you assert UID's between 1 and 500 (or ^MIN_UID= from /etc/login.defs) are system accounts with inert shell like false, nologin or w/o valid login, then

awk -F: '$3 == 0 || $3 >= 500 { print $1 }' /etc/passwd
should get you the local user names more easily. 1) Beware you're only checking for failures in existing account names (wrt guessing, I don't know if this is about a public access point, server or personal laptop), and 2) if you only check for "password check failed for user" then you'll be missing strings. For a list of possibilities see

strings -an4 /lib/security/pam_u*.so|egrep -ie "(authen|failu|identify|inval|correc)"|sort -u
BTW you do know about /usr/share/doc/pam-*/txts/README.pam_tally{,2}, right?

Rupadhya 10-05-2012 10:51 PM


BTW you do know about /usr/share/doc/pam-*/txts/README.pam_tally{,2}, right?
No, I didn't know about that. I will modify my /etc/pam.d/login and test it. Thank you.
- Raj

schneidz 10-06-2012 02:11 PM

also, this mite be what fail2ban does. i've never used it so i am not sure.

kpsingh 10-06-2012 04:13 PM

To make it more precise u can use
"lastb" command it is for last bad attempts on the system
count the attempts and if they increases from 3 then do the mail

All times are GMT -5. The time now is 04:11 AM.