SSH "Login monitor" for Linux

Question

I'm trying to write a script that informs the user when someone has logged in on the machine via ssh.

My current idea is to parse the output of "w" using grep in intervals.

But that's neither elegant nor performant. Has anyone got a better idea how to implement such a program?

Any help would really be appreciated!

Answer 1

Paul Tomblin has the right suggestion.

Set up logging in your sshd_config to point to a syslog facility that you can log separately:

=> see man 3 syslog for more facilities. Choose one like e.g.

# Logging
SyslogFacility local5
LogLevel INFO

Then set up your syslog.conf like this:

local5.info    |/var/run/mysshwatcher.pipe

Add the script you're going to write to /etc/inittab so it keeps running:

sw0:2345:respawn:/usr/local/bin/mysshwatcher.sh

then write your script:

#!/bin/sh

P=/var/run/mysshwatcher.pipe
test -p $P || mkfifo $P

while read x <$P; do
  # ... whatever, e.g.:
  echo "ssh info: $x" | wall
done;

Finally, restart your syslogd and get your inittab reloaded (init q) and it should work. If other variantes of these services are used, you need to configure things accordingly (e.g. newsyslogd => /etc/newsyslog.conf; Ubuntu: /etc/event.d isntead of inittab)

This is very rudimentary and lacking, but should be enough to get you started ...

more info: man sshd_config for more logging options/verbosity.

Answer 2

On Ubuntu (and I'd guess all other Debian distros, if not all Linuces), the file /var/log/auth.log records successful (and unsuccessful) login attempts:

sshd[XXX]: pam_unix(sshd:session): session opened for user XXX

You could set up a very simple monitor using this command (note that you have to be root to see the auth log):

sudo tail -F /var/log/auth.log | grep sshd

Answer 3

If you do not care how they logged in (telnet/ssh), the 'last' Unix command line utility shows you the last few logins in the machine. Remote users will show the IP address

[root@ex02 www]# last foo pts/1 81.31.x.y Sun Jan 18 07:25 still logged in
foo pts/0 81.31.x.y Sun Jan 18 01:51 still logged in
foo pts/0 81.31.x.y Sat Jan 17 03:51 - 07:52 (04:00)
bar pts/5 199.146.x.y Fri Jan 16 08:57 - 13:29 (04:32

Answer 4

Set up a named pipe, and set up a log file parser to listen to it, and send the ssh messages to it. The log file parser can do what you want, or signal to a daemon to do it.

Redirecting the log file is done in a config file in /etc/ whose name escapes me right now. /etc/syslog.conf, I think.

Answer 5

I have made a program (which i call Authentication Monitor) that solves the task described in the question.

If you wanted to, you are more than welcome to download it to investigate how I solve this problem (using log-files).

You can find Authentication Monitor freely available here: http://bwyan.dk/?p=1744