DIY SSH / SUDO Monitoring script
So, I had an idea to make my own monitoring with b / w and w .
It was necessary to monitor successful ssh logins (and using sudo) and let me know. For notifications, the centerim messenger was selected (in debian and similar, the package is called centericq-utf8). You also need the screen package.
After installing the package (in my case of building an ebuild), I created a jabber user with the home directory / home / jabber.
')
After that I changed the user to jabber:
Launched centerim-utf8.
Set up an icq account (new win can be obtained here - https://www.icq.com/register/
I checked that the number appeared on the network and left the messenger.
Further, returned to the superuser.
I started the messenger from the root in the new screen. (In another way, according to the site, it’s impossible to demonize centerim)
After that, I wrote such a script and put it in crowns once a minute:
There is a whole field for experimentation and refinement, but I decided to stop, and leave everything as it is - everything works more or less.
In general, this article is that if something does not suit someone else's bike - you can always write your own.
Thanks for attention. If you have questions, I will be glad to answer in the comments.
It was necessary to monitor successful ssh logins (and using sudo) and let me know. For notifications, the centerim messenger was selected (in debian and similar, the package is called centericq-utf8). You also need the screen package.
aptitude install screen centericq-utf8 Let's get started
After installing the package (in my case of building an ebuild), I created a jabber user with the home directory / home / jabber.
')
After that I changed the user to jabber:
su - jabber.Launched centerim-utf8.
centerim-utf8Set up an icq account (new win can be obtained here - https://www.icq.com/register/
I checked that the number appeared on the network and left the messenger.
Further, returned to the superuser.
exitI started the messenger from the root in the new screen. (In another way, according to the site, it’s impossible to demonize centerim)
su - jabber -c "screen -d -m /usr/bin/centerim"After that, I wrote such a script and put it in crowns once a minute:
authmon.sh
#!/bin/bash
# ,
LOG=/var/log/messages
# centerim
CIM=/usr/bin/centerim
# $LOG
N=20
# ,
EXPR="sshd|sudo"
# , 5-
MDFILE=/home/jabber/mon/auth.md5
# ,
TXTFILE=/home/jabber/mon/auth.txt
# ,
TXTFILE2=/home/jabber/mon/auth.new
# , centerim
JABBERUSER=jabber
# centerim
PROTO=icq
# ,
UIN=288611
# , .
EXCL='munin|Invalid|getaddrinfo|identification string|POSSIBLE BREAK-IN ATTEMPT'
OLD=`cat $MDFILE`
tail -$N $LOG | grep -E $EXPR | grep -v -E "$EXCL" > $TXTFILE2
READ=`tail -1 $TXTFILE2 | md5sum | awk '{print $1};'`
if [ "$READ" == "$OLD" ]; then
exit 0
else
echo -e $READ > $MDFILE
cat $TXTFILE2 > $TXTFILE
su - $JABBERUSER -c "cat $TXTFILE | $CIM -s msg -p $PROTO -t $UIN"
fi
There is a whole field for experimentation and refinement, but I decided to stop, and leave everything as it is - everything works more or less.
In general, this article is that if something does not suit someone else's bike - you can always write your own.
Thanks for attention. If you have questions, I will be glad to answer in the comments.
Source: https://habr.com/ru/post/85374/
All Articles