I'm currently using gentoo and have the following method of knowing when anyone logs into my server (it's really just me, but if anyone were to gain access, I'd want to know about it)
1) Use sec to monitor logfiles
type=SingleWithScript
ptype=RegExp
pattern=Accepted keyboard-interactive/pam for ([a-z]+) from ([0-9|\.]+) port
script=/root/scripts/userLogin.pl $1 $2
desc=User Login
action=write /var/log/sec/sec.log User Login: $1 has logged in from $2
action2=write /var/log/sec/sec.log Script Failed: User Login: $1 has logged in from $2
2) Script:
#!/usr/bin/perl -w
use Net::SMTP::TLS;
my $smtp;
if (not $smtp = Net::SMTP::TLS->new('smtp.gmail.com',
Port => 587,
User => '',
Password => '',
Debug => 1)) {
die "Could not connect to server\n";
}
$smtp->mail('');
$smtp->to('');
$smtp->data();
$smtp->datasend('To: ' . "\n");
$smtp->datasend('From: ' . "\n");
$smtp->datasend("Subject: User Login: $ARGV[0]\n");
$smtp->datasend("\n");
$smtp->datasend("$ARGV[0] has logged in from $ARGV[1]\n");
$smtp->dataend();
$smtp->quit;
But I'm worried that my regex isn't broad enough. "Accepted keyboard-interactive/pam" - can logins generate logs that don't match that format?
There may be a dedicated PAM module for this but I couldn't find one offhand. You can use
pam_exec
to execute your script upon user login. Seeman 8 pam_exec
. Basically you just need to modify your script to read thePAM_USER
andPAM_TTY
environment variables instead of$ARGV
and then addHave you tried using OSSEC? It has rules to analyze the logs and real time and easily report on successful logins, failed logins, first time logins from a specific IP or user, etc.
I have used SEC, logwatch and other tools in the past, but we recently substituted them all for OSSEC. It is very easy to install and I don't have to be writing my own scripts/regexes, since it is all included by default.
Link: http://www.ossec.net