[kwlug-disc] cron job, alert

Paul Nijjar paul_nijjar at yahoo.ca
Wed Dec 29 21:16:38 EST 2010


On Wed, Dec 29, 2010 at 08:47:35PM -0500, Insurance Squared Inc. wrote:
> How would I set up an email alert to go off every time someone logs on  
> to my server, or a specific user logs on?

I was hoping that you could use something like inotify or incron
(which monitor filesystem changes) to tell you this information, but
maybe you need a full-blown log watcher. There are a lot of them out
there. In my experience none of them are trivial to configure. 

I use a program called "tenshi". I don't like it much, but I am too
lazy to find something better.  Tenshi comes preconfigured with events
to look for ssh and login events (but you will want to tweak the
reports so they mail you immediately rather than once every two
hours). 

To configure tenshi, you install the program and configure a "queue".
Then you have rules that match regular expressions in your log files.
When a rule matches it goes to a queue you specify. Here is an example
from the given files: 

report   ^login\(pam_unix\): session opened for user (.+)

This means: when you see the string "login (pam_unix): session closed
for user" in a logfile you are watching, send it to the "report"
queue. If you changed that queue to the "critical" queue then you
would get immediate alerts (assuming you configure that queue with
your proper e-mail address). 


> My webserver got hacked and until I can get it cleaned up I'd like  
> notification if someone logs on.  (looks like they brute forced my  
> password, though I'm a bit surprised they can do that).
>

Do you know how they got in? If it was an SSH attack then I hope you
are running something like DenyHosts or fail2ban (actually I kind of
hope you weren't running DenyHosts, because if they broke in while you
had such protection then I will be frightened for my own servers). 

- Paul

-- 
http://pnijjar.freeshell.org 



More information about the kwlug-disc_kwlug.org mailing list