[SOLVED] Can I have a script send me an email if a person logs on incorrectly 3 times?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you want say hourly or daily (use a cron job) mailed reports of items of interest (wrt logins: /var/log/secure, /var/log/audit/audit.log) you could use Logwatch. Else, if it must be after exactly 3 login failures and it must be emailed immediately, then yeah, you should script something. Of course you don't allow root to log in over the network so that's never gonna be an issue, right?
This is what I have coded in a script so far.. It reads the /etc/passwd and gets the name of all the users. It then looks in /var/log/secure for any password violations. If they are greater than 0, It prints the name of the user. I will work on making it check if the password violations were within 5 minutes of each other and automate a mail to the admin. There is probably a more elegant solution to this problem and I welcome any suggestions. I don't log on remotely to root, but I want to see if people are sitting down to the console and trying to log in to any user.
- Raj
Code:
#! /bin/bash
readPasswd() {
local y
while read lineInput
do
for (( ; ; ))
do
passwdString=$(echo $lineInput | tr ":" "\n")
x=0
for name in $passwdString
do
x=$[x+1]
if [ "$x" -eq "1" ]
then
countOfViolations=$(grep "password check failed for user ($name)" \
/var/log/secure | wc | awk '{ print $1 }');
if [ "$countOfViolations" -gt "0" ]
then echo $name' '$countOfViolations;
fi
fi
done
break
done
done < /etc/passwd
}
### Beginning of main program..
readPasswd
0) If you assert UID's between 1 and 500 (or ^MIN_UID= from /etc/login.defs) are system accounts with inert shell like false, nologin or w/o valid login, then
should get you the local user names more easily. 1) Beware you're only checking for failures in existing account names (wrt guessing, I don't know if this is about a public access point, server or personal laptop), and 2) if you only check for "password check failed for user" then you'll be missing strings. For a list of possibilities see
To make it more precise u can use
"lastb" command it is for last bad attempts on the system
count the attempts and if they increases from 3 then do the mail
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.