notification when wrong ssh

N

netaccs

Hello, I am trying to get receive notifications, when some got wrong ssh credentials.

In /etc/pam.d/sshd I add
Code: 
auth    optional    pam_exec.so /usr/local/bin/alert.sh
then -> chmod +x /usr/local/bin/alert.sh

in file I got
Code: 
#!/bin/sh
echo "SSH auth failure: User=$PAM_USER From=$PAM_RHOST  SERVICE:$PAM_SERVICE on HOST:`hostname`" \
  | mail -s "FreeBSD SSH Auth Fail" my_maildot@

It works, but I receive correct and non correct logins.
How to make to receive only wrong logins?
 
The 'auth' facility is always executed here, regardless if the authentication was successful or not.

It's probably a bad idea anyway, if some brute-forcer comes around your mailbox will get spammed with hundreds of login failure emails. That will only exacerbate the situation.
 
Good point SirDice! Always think about the possible aftermath as well. While waiting for some file systems to sync I can't help but wonder: why not utilize blacklistd as well for all this? It shouldn't be too hard to hook into this I think.
 
I found another solution
Code: 
/usr/local/bin/failed_login_alert.sh
#!/bin/sh
LOGFILE="/var/log/auth.log"
PATTERN="PAM: Authentication error"
EMAIL="my_mail@"

tail -n0 -F "$LOGFILE" | while read LINE; do
    echo "$LINE" | grep "$PATTERN" > /dev/null
    if [ $? -eq 0 ]; then
        echo "$LINE" | mail -s "❗ Failed SSH Login Alert on $(hostname)" "$EMAIL"
    fi
done

After that running the scripts with
nohup /usr/local/bin/failed_login_alert.sh > & /dev/null &

But I think pam.d is better way, but I can't explain myself what should do there.
So if there is a option using pam.d/ssh I prefer it.
I am aware of mail spaming, just want to be alert on that machine

Thanks in advance !
 
netaccs said:
I found another solution
Click to expand...
You know you can have syslog pipe directly to a shell script? That's how sshguard(8) originally worked. You'd still need to do some parsing but it doesn't require having a process running in the background tail(1)'ing a log file.

Code: 
security.*                                      | /usr/local/bin/failed_login_alert.sh
Code: 
     •   A vertical bar (“|”), followed by a command to pipe the selected
         messages to.  The command is passed to sh(1) for evaluation, so usual
         shell metacharacters or input/output redirection can occur.  (Note
         however that redirecting stdio(3) buffered output from the invoked
         command can cause additional delays, or even lost output data in case
         a logging subprocess exited with a signal.)  The command itself runs
         with stdout and stderr redirected to /dev/null.  Upon receipt of a
         SIGHUP, syslogd(8) will close the pipe to the process.  If the
         process did not exit voluntarily, it will be sent a SIGTERM signal
         after a grace period of up to 60 seconds.
syslog.conf(5)

netaccs said:
I am aware of mail spaming, just want to be alert on that machine
Click to expand...
Ehm, just enable blacklistd(8), sshguard(8) or fail2ban(1). And keep an eye on the daily periodic(8) security (/etc/periodic/security/800.loginfail) emails.

And why be interested in failed attempts? Besides spamming your log files they're not going to harm your system, 'they' didn't get in, the attempt FAILED. So why be bothered by that? It's the successful ones you need to watch out for. And there's also a category of attacks that somehow managed to circumvent your security, those aren't going to show up at all.
 
I try with in /etc/syslog.conf
security.* | /usr/local/bin/failed_login_alert.sh
then restart syslog process, but nothing appears on console logs with bad ssh attempts, so mail not sent.

I do something wrong or just don't get the conception.
 
You must log in or register to reply here.
Back
Top