ansaurus

Question

Answer 1

+3 A:

Set up a named pipe, and set up a log file parser to listen to it, and send the ssh messages to it. The log file parser can do what you want, or signal to a daemon to do it.

Redirecting the log file is done in a config file in /etc/ whose name escapes me right now. /etc/syslog.conf, I think.

Paul Tomblin 2009-01-13 19:36:34

Answer 2

+6 A:

On Ubuntu (and I'd guess all other Debian distros, if not all Linuces), the file /var/log/auth.log records successful (and unsuccessful) login attempts:

sshd[XXX]: pam_unix(sshd:session): session opened for user XXX

You could set up a very simple monitor using this command (note that you have to be root to see the auth log):

sudo tail -F /var/log/auth.log | grep sshd

kdgregory 2009-01-13 19:46:25

Or you could just use "tail -F".

Paul Tomblin 2009-01-13 19:47:03

Excellent point - I didn't know about that option

kdgregory 2009-01-13 19:51:07

I've known unix admins who do just about this same thing, for detecting logins as root to their boxen. If anyone logs in as root, an e-mail is sent to their pager. Very useful, but occasionally amusing as every time they got into serious maintenance and opened a root shell, they'd get a page...

Adam Bellaire 2009-01-13 20:02:21

Answer 3

+7 A:

Paul Tomblin has the right suggestion.

Set up logging in your sshd_config to point to a syslog facility that you can log separately:

=> see man 3 syslog for more facilities. Choose one like e.g.

# Logging
SyslogFacility local5
LogLevel INFO

Then set up your syslog.conf like this:

local5.info    |/var/run/mysshwatcher.pipe

Add the script you're going to write to /etc/inittab so it keeps running:

sw0:2345:respawn:/usr/local/bin/mysshwatcher.sh

then write your script:

#!/bin/sh

P=/var/run/mysshwatcher.pipe
test -p $P || mkfifo $P

while read x <$P; do
  # ... whatever, e.g.:
  echo "ssh info: $x" | wall
done;

Finally, restart your syslogd and get your inittab reloaded (init q) and it should work. If other variantes of these services are used, you need to configure things accordingly (e.g. newsyslogd => /etc/newsyslog.conf; Ubuntu: /etc/event.d isntead of inittab)

This is very rudimentary and lacking, but should be enough to get you started ...

more info: man sshd_config for more logging options/verbosity.

mjy 2009-01-13 20:02:07

Yes, this is almost exactly what I did at my last job, except I used perl to watch the pipe. I would have posted more details except my source code is at home.

Paul Tomblin 2009-01-13 20:17:52

Answer 4

+1 A:

If you do not care how they logged in (telnet/ssh), the 'last' Unix command line utility shows you the last few logins in the machine. Remote users will show the IP address

[root@ex02 www]# last foo pts/1 81.31.x.y Sun Jan 18 07:25 still logged in
foo pts/0 81.31.x.y Sun Jan 18 01:51 still logged in
foo pts/0 81.31.x.y Sat Jan 17 03:51 - 07:52 (04:00)
bar pts/5 199.146.x.y Fri Jan 16 08:57 - 13:29 (04:32

Daniel Lopez 2009-01-18 20:54:58

ansaurus

tags:

views:

answers:

SSH "Login monitor" for Linux

related questions