LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   run command/program after failed login attempts (http://www.linuxquestions.org/questions/linux-security-4/run-command-program-after-failed-login-attempts-899261/)

xwjitftu 08-24-2011 06:37 PM

run command/program after failed login attempts
 
Hi, I'm running ubuntu 11.04 and I am trying to make it so that after 4 failed login attempts, it runs a program. How would I go about doing this? Any help would be greatly appreciated.

roels 08-25-2011 09:16 AM

Failed logins are being logged in '/var/log/faillog'. You can use the command 'faillog' to print the failed logins on you screen. So you can create a script that uses this output to check if the amount of failed logins exceeds '4' and runs a command if necessary.
I hope this gets you started.

xwjitftu 08-25-2011 01:55 PM

Thank you for your reply. It was very informative. Is there any way I can make it run a program/script in the login window; ie after 4 unsuccsesful attempts it sends email even if no one succsesfuly logs in? It seems like to do this the script to check failed logins would have to be running in the background during login.

xwjitftu 08-25-2011 01:59 PM

In addition, how would I view the faillog file? ie what type of file is it?
EDIT: I figured out how to open the faillog in terminal, but how would I go about making a bash script that reads the faillog on each login attempt in the login screen, and then does some command?

roels 08-25-2011 02:52 PM

Quote:

Originally Posted by xwjitftu (Post 4453319)
I figured out how to open the faillog in terminal, but how would I go about making a bash script that reads the faillog on each login attempt in the login screen, and then does some command?

I don't know if that is possible. I would suggest to use cron to run something like this every hour or so:
Code:

if [ `faillog | awk '/username/ {print $2}'` -ge 4 ]; then executecommand; fi
However you should realize that an attacker with physical access will probably gain root access via 'single user mode'.

xwjitftu 08-25-2011 08:04 PM

I know... this is more of a fun side project than anything else, because my sister has a habit of trying to guess my password;)

Reuti 08-26-2011 10:05 AM

I think the failed attempts are also recorded in /var/log/messages. In syslog-ng one can filter these messages and send them to a named pipe:
Code:

destination process { pipe("/tmp/tester" perm(0644)); };
log { source(src); filter(foobar); destination(process); };

At the other end you have an endless running process where you are waiting on something to arrive at the pipe:
Code:

$ while read LINE; do echo "Got: $LINE"; done < /tmp/tester
There you can process anything you like with these messages.

xwjitftu 08-26-2011 07:23 PM

got it! If I change the pam common-auth file, I can make it so on every failed login attempt it runs a bash script.


All times are GMT -5. The time now is 10:18 PM.