[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh login tracking

I wrote it using File::Tail. If anyone needs it for anything, let me
know and I'll send you a copy.

Works nicely. Thanks for the clue on File::Tail. Very little impact
on the system. I wrote it generically (you can specify the file to
watch, and look for incoming lines matching one of a hash of
regex's), so it could be used for other applications. It is

Again, thanks a lot for the pointers. Client is very happy. By the
way, I used auth.log instead of syslog. Much less traffic.


> On Thu, Jul 14, 2005 at 02:06:53AM -0400, Chris Wagner wrote:
>> I would do it based on the syslog. You can have a perl script that
>> stays running that keeps reading an appropriate log file and sends
>> the
>> email when it sees the appropriate sshd: line. Think of it as a
>> smart
>> tail -f. If you do a search you can find some examples of the tail
>> functionality.
> yep, agreed.
> File::Tail is an excellent perl module for doing this kind of thing.
> i have some example File::Tail perl scripts (mostly postfix mail.log
> related)
> in http://taz.net.au/postfix/scripts/
> e.g.
> 1. monitor-tls.pl - monitor mail.log and add entries to
> /etc/postfix/tls-per-site denying TLS to sites with TLS errors
> (useful
> when you have sites connecting that have broken TLS
> implementations).
> this is a very simple script, and easily forms the skeleton of a
> generic
> log-watching script.
> 2. watch-maillog.pl - monitor mail.log and add temporary iptables
> rules
> to block smtp connections from IP addresses that commit a variety of
> "crimes". an interesting experiment but ultimately not worth the
> bother.
> also does pop-before-smtp stuff.
> craig
> --
> craig sanders <cas@taz.net.au>           (part time cyborg)
> --
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

Meddle not in the Affairs of Dragons
    for thou art crunchy, and good with catsup.

Reply to: