[SOLVED] Can I have a script send me an email if a person logs on incorrectly 3 times?

Hello All,

I was wondering how I would alert if a person misstyped their password 3 times (or if a person was trying to hack into the Linux machine).

Many thanks,

Raj Upadhyaya

maybe you can periodically read /var/log/secure and if you see something like Failed password for root you can run the mail command.

If you want say hourly or daily (use a cron job) mailed reports of items of interest (wrt logins: /var/log/secure, /var/log/audit/audit.log) you could use Logwatch. Else, if it must be after exactly 3 login failures and it must be emailed immediately, then yeah, you should script something. Of course you don't allow root to log in over the network so that's never gonna be an issue, right?

This is what I have coded in a script so far.. It reads the /etc/passwd and gets the name of all the users. It then looks in /var/log/secure for any password violations. If they are greater than 0, It prints the name of the user. I will work on making it check if the password violations were within 5 minutes of each other and automate a mail to the admin. There is probably a more elegant solution to this problem and I welcome any suggestions. I don't log on remotely to root, but I want to see if people are sitting down to the console and trying to log in to any user.
- Raj

Code:

#! /bin/bash
readPasswd() {
local y
while read lineInput
do 
for (( ; ; ))
  do
    passwdString=$(echo $lineInput | tr ":" "\n")
    x=0
    for name in $passwdString
    do
      x=$[x+1]
      if [ "$x" -eq "1" ] 
       then
       countOfViolations=$(grep "password check failed for user ($name)" \
/var/log/secure  | wc | awk  '{ print $1 }');
       if [ "$countOfViolations" -gt "0" ]  
        then echo $name' '$countOfViolations;
       fi
      fi     
    done
    break
  done
done < /etc/passwd
}
### Beginning of main program..
readPasswd

0) If you assert UID's between 1 and 500 (or ^MIN_UID= from /etc/login.defs) are system accounts with inert shell like false, nologin or w/o valid login, then

Code:

awk -F: '$3 == 0 || $3 >= 500 { print $1 }' /etc/passwd

should get you the local user names more easily. 1) Beware you're only checking for failures in existing account names (wrt guessing, I don't know if this is about a public access point, server or personal laptop), and 2) if you only check for "password check failed for user" then you'll be missing strings. For a list of possibilities see

Code:

strings -an4 /lib/security/pam_u*.so|egrep -ie "(authen|failu|identify|inval|correc)"|sort -u

BTW you do know about /usr/share/doc/pam-*/txts/README.pam_tally{,2}, right?

Quote:

BTW you do know about /usr/share/doc/pam-*/txts/README.pam_tally{,2}, right?

No, I didn't know about that. I will modify my /etc/pam.d/login and test it. Thank you.
- Raj

also, this mite be what fail2ban does. i've never used it so i am not sure.

To make it more precise u can use
"lastb" command it is for last bad attempts on the system
count the attempts and if they increases from 3 then do the mail