Re: ssh login tracking

To: debian-isp@lists.debian.org
Subject: Re: ssh login tracking
From: Craig Sanders <cas@taz.net.au>
Date: Thu, 14 Jul 2005 17:09:24 +1000
Message-id: <[🔎] 20050714070924.GA14328@taz.net.au>
In-reply-to: <[🔎] 200507140622.j6E6M6r13044@mail.cinternet.net>
References: <[🔎] 200507140622.j6E6M6r13044@mail.cinternet.net>

On Thu, Jul 14, 2005 at 02:06:53AM -0400, Chris Wagner wrote:
> I would do it based on the syslog. You can have a perl script that
> stays running that keeps reading an appropriate log file and sends the
> email when it sees the appropriate sshd: line. Think of it as a smart
> tail -f. If you do a search you can find some examples of the tail
> functionality.

yep, agreed.

File::Tail is an excellent perl module for doing this kind of thing.

i have some example File::Tail perl scripts (mostly postfix mail.log related)
in http://taz.net.au/postfix/scripts/

e.g. 

1. monitor-tls.pl - monitor mail.log and add entries to
/etc/postfix/tls-per-site denying TLS to sites with TLS errors (useful
when you have sites connecting that have broken TLS implementations).

this is a very simple script, and easily forms the skeleton of a generic
log-watching script.

2. watch-maillog.pl - monitor mail.log and add temporary iptables rules
to block smtp connections from IP addresses that commit a variety of
"crimes". an interesting experiment but ultimately not worth the bother.
also does pop-before-smtp stuff.

craig

-- 
craig sanders <cas@taz.net.au>           (part time cyborg)

Reply to:

References:
- Re: ssh login tracking
  - From: wagnerc@plebeian.com (Chris Wagner)

Prev by Date: Re: ssh login tracking
Next by Date: Re: ssh login tracking
Previous by thread: Re: ssh login tracking
Next by thread: "unsubscribe"
Index(es):
- Date
- Thread