ADMIN - Explore the new world of system administration! Special introductory offer! Order by September 30th to save 10% off the regular subscription price! Each issue delivers technical solutions to the real-world problems you face every day. Learn the latest techniques for better:
network security
system management
troubleshooting
performance tuning
virtualization
cloud computing
on Windows, Linux, Solaris, and popular varieties of Unix.
Charly often gets suggestions and ideas for his column at community get-togethers. Last week, he picked up a tip for an early warning system that quickly secures login attempts.
Some servers I don’t log in to for weeks on end. On machines like this, the danger of intruders being able to log in without my noticing is fairly high. And if attackers do manage to crack open a victim’s computer, they will do everything they can to cover their tracks. This includes removing all traces of the login from the logs, which makes it more or less impossible to ascertain the exact time of the attack and – what’s more important – the attacker’s IP.
This works fine for a standard SSH login from another linux host or a windows host running putty, however I noticed it does not log anything if a user is logging in with a SFTP client package such as Filezilla or any other sftp gui application. I noticed this by mistake when looking at the login (auth) logs on a server.
Can someone advise why this is and how I can capture all logins no matter what the medium is?
Thanks
Keith
Little bug when invoke mail command
Amedeo
Jul 05, 2010 8:00pm GMT
I found a little bug on your code, instead of using who and pipe stout to mail command, if there are more than one users logged, mail command not works, due to new line characters, so i changed your code to this:
echo 'Login on' `hostname` `date` \
`who` | mail -s "Login on `hostname` \
`who |sort -k 3,4 -r | head -1 | awk '{print $5}'`" \ amedeo.salvati@gmail.com
Comments
SFTP clients?
Keith Nov 30, 2010 12:23am GMT
This works fine for a standard SSH login from another linux host or a windows host running putty, however I noticed it does not log anything if a user is logging in with a SFTP client package such as Filezilla or any other sftp gui application. I noticed this by mistake when looking at the login (auth) logs on a server.Can someone advise why this is and how I can capture all logins no matter what the medium is?
Thanks
Keith
Little bug when invoke mail command
Amedeo Jul 05, 2010 8:00pm GMT
I found a little bug on your code, instead of using who and pipe stout to mail command, if there are more than one users logged, mail command not works, due to new line characters, so i changed your code to this:echo 'Login on' `hostname` `date` \
`who` | mail -s "Login on `hostname` \
`who |sort -k 3,4 -r | head -1 | awk '{print $5}'`" \
amedeo.salvati@gmail.com
ciao
amedeo