Can I add 'successful logins' to my Security Run output?

G

ghostcorps

Hi Guys

I have the output of the cron Security Run being emailed to me and it is showing alot of failed ssh attempts, this is all well and good and denyhosts takes care of most of that concern but I need to know if any of these ever actually gets through. Since I am the only person who logs into it, it would be pretty easy to tell if some one else has managed to login.

Is it possible to have the output of the Security run include successful attempts?

I have looked at /etc/periodic.conf but there are no switches that seem to correspond to what I am looking for.

Thanks for your time, sorry if this is in the wrong forum, but I figure firewalls are the closest thing to a security forum here.



D
 
What is the difference between the command Dies_Irae suggested, and last? I noticed that not all entires returned by egrep 'sshd\[[0-9]+\]: Accepted' /var/log/auth.log are seen when using last, but I cannot work out what is systematically being filtered out.
 
Has anyone added a file to /etc/periodic/daily that lists successful logins for only the previous day to be consistent with the other periodic files? egrep 'sshd\[[0-9]+\]: Accepted' /var/log/auth.log lists all successful logins within the auth.log file which can contain information from multiple days. If someone has an script around, it would be much appreciated if it could be shared here.

Another comment: I am curious to know why such a feature is not part of the default set periodic scripts? This could be extremely useful: for example for servers which are typically accessed by a user base from a particular country, or only a few users. Any ip/location which stands out from the norm can be investigated.
 
You must log in or register to reply here.
Back
Top