Re: ssh login tracking
On Thu, Jul 14, 2005 at 02:06:53AM -0400, Chris Wagner wrote:
> I would do it based on the syslog. You can have a perl script that
> stays running that keeps reading an appropriate log file and sends the
> email when it sees the appropriate sshd: line. Think of it as a smart
> tail -f. If you do a search you can find some examples of the tail
> functionality.
yep, agreed.
File::Tail is an excellent perl module for doing this kind of thing.
i have some example File::Tail perl scripts (mostly postfix mail.log related)
in http://taz.net.au/postfix/scripts/
e.g.
1. monitor-tls.pl - monitor mail.log and add entries to
/etc/postfix/tls-per-site denying TLS to sites with TLS errors (useful
when you have sites connecting that have broken TLS implementations).
this is a very simple script, and easily forms the skeleton of a generic
log-watching script.
2. watch-maillog.pl - monitor mail.log and add temporary iptables rules
to block smtp connections from IP addresses that commit a variety of
"crimes". an interesting experiment but ultimately not worth the bother.
also does pop-before-smtp stuff.
craig
--
craig sanders <cas@taz.net.au> (part time cyborg)
Reply to: