LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 10-05-2012, 02:40 PM   #1
Rupadhya
Member
 
Registered: Sep 2012
Location: Hoffman Estates, IL
Distribution: Fedora 20
Posts: 167

Rep: Reputation: Disabled
Can I have a script send me an email if a person logs on incorrectly 3 times?


Hello All,

I was wondering how I would alert if a person misstyped their password 3 times (or if a person was trying to hack into the Linux machine).

Many thanks,

Raj Upadhyaya
 
Old 10-05-2012, 02:59 PM   #2
schneidz
Senior Member
 
Registered: May 2005
Location: boston, usa
Distribution: fc-15/ fc-19-live-usb/ aix
Posts: 3,812

Rep: Reputation: 586Reputation: 586Reputation: 586Reputation: 586Reputation: 586Reputation: 586
maybe you can periodically read /var/log/secure and if you see something like Failed password for root you can run the mail command.
 
2 members found this post helpful.
Old 10-05-2012, 04:02 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
If you want say hourly or daily (use a cron job) mailed reports of items of interest (wrt logins: /var/log/secure, /var/log/audit/audit.log) you could use Logwatch. Else, if it must be after exactly 3 login failures and it must be emailed immediately, then yeah, you should script something. Of course you don't allow root to log in over the network so that's never gonna be an issue, right?
 
1 members found this post helpful.
Old 10-05-2012, 08:23 PM   #4
Rupadhya
Member
 
Registered: Sep 2012
Location: Hoffman Estates, IL
Distribution: Fedora 20
Posts: 167

Original Poster
Rep: Reputation: Disabled
This is what I have coded in a script so far.. It reads the /etc/passwd and gets the name of all the users. It then looks in /var/log/secure for any password violations. If they are greater than 0, It prints the name of the user. I will work on making it check if the password violations were within 5 minutes of each other and automate a mail to the admin. There is probably a more elegant solution to this problem and I welcome any suggestions. I don't log on remotely to root, but I want to see if people are sitting down to the console and trying to log in to any user.
- Raj
Code:
#! /bin/bash
readPasswd() {
local y
while read lineInput
do 
for (( ; ; ))
  do
    passwdString=$(echo $lineInput | tr ":" "\n")
    x=0
    for name in $passwdString
    do
      x=$[x+1]
      if [ "$x" -eq "1" ] 
       then
       countOfViolations=$(grep "password check failed for user ($name)" \
/var/log/secure  | wc | awk  '{ print $1 }');
       if [ "$countOfViolations" -gt "0" ]  
        then echo $name' '$countOfViolations;
       fi
      fi     
    done
    break
  done
done < /etc/passwd
}
### Beginning of main program..
readPasswd
 
Old 10-05-2012, 09:30 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
0) If you assert UID's between 1 and 500 (or ^MIN_UID= from /etc/login.defs) are system accounts with inert shell like false, nologin or w/o valid login, then
Code:
awk -F: '$3 == 0 || $3 >= 500 { print $1 }' /etc/passwd
should get you the local user names more easily. 1) Beware you're only checking for failures in existing account names (wrt guessing, I don't know if this is about a public access point, server or personal laptop), and 2) if you only check for "password check failed for user" then you'll be missing strings. For a list of possibilities see
Code:
strings -an4 /lib/security/pam_u*.so|egrep -ie "(authen|failu|identify|inval|correc)"|sort -u
BTW you do know about /usr/share/doc/pam-*/txts/README.pam_tally{,2}, right?
 
1 members found this post helpful.
Old 10-05-2012, 09:51 PM   #6
Rupadhya
Member
 
Registered: Sep 2012
Location: Hoffman Estates, IL
Distribution: Fedora 20
Posts: 167

Original Poster
Rep: Reputation: Disabled
Quote:
BTW you do know about /usr/share/doc/pam-*/txts/README.pam_tally{,2}, right?
No, I didn't know about that. I will modify my /etc/pam.d/login and test it. Thank you.
- Raj
 
Old 10-06-2012, 01:11 PM   #7
schneidz
Senior Member
 
Registered: May 2005
Location: boston, usa
Distribution: fc-15/ fc-19-live-usb/ aix
Posts: 3,812

Rep: Reputation: 586Reputation: 586Reputation: 586Reputation: 586Reputation: 586Reputation: 586
also, this mite be what fail2ban does. i've never used it so i am not sure.
 
Old 10-06-2012, 03:13 PM   #8
kpsingh
LQ Newbie
 
Registered: Oct 2012
Location: chandigarh, india
Distribution: rhel6, fedora 14
Posts: 1

Rep: Reputation: Disabled
Talking

To make it more precise u can use
"lastb" command it is for last bad attempts on the system
count the attempts and if they increases from 3 then do the mail
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Script to send email... bfloeagle Linux - General 5 10-13-2009 10:20 AM
problem with an autoreply script that is send 2 times to the sender thierry_b Linux - Software 1 05-20-2009 03:47 AM
Send logs to email address bond00 Linux - Networking 1 03-28-2006 06:01 PM
Bash script to alert by email 3 times then stop. pmpc00 Linux - General 2 11-04-2004 07:23 AM
how to send logs (etc.) to email address??? win32sux Slackware 7 08-26-2004 12:48 PM


All times are GMT -5. The time now is 11:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration