I am wondering to know if there is a way to set up the server to send me an email when the root password failed to authenticate

This way I would know if there's someone trying to guess the root password instead of checking /var/log/secure.

thanks

You could always write a bash script an put it in the cron.

-Randy

I need some info about the way in which linux knows if the root password failed to authenticate :D

you can use log watch, and it sends an email daily on all kinds of vital stats

It's simpler than that... just do a shell script (or even better, use perl or php) to run the following commands:

grep "BAD SU" /var/log/messages
and
grep "Authentication failure" /var/log/messages

Try to log into your server using an incorrect password and see what it does add to the logfiles.

thelinuxguy, but it wont send me an email on the time of guessing the password if it happens

SEATi, I know how to do that manually. but I wont be able to monitor the logs all the time

putting a bash script in the cron wont be good solution since the corn has to be done every minute or so

Why won't be a good solution placing the script in a cron? You can use */5 to have the script running every 5 minutes (or */1 to have it run every minute).

A perl/php script should process your entire logfile in no more than 5 seconds.

thanks SEATi

can anyone give any idea on how to write a like script

You need to use some REGEX to achieve that, so it would be really useful if you could post 2 lines from your logfile, the first would be a failed su to root, and the second one would be a failed ssh login.

you might want to use logsurfer http://www.cert.dfn.de/eng/logsurf/

Originally posted by SEATi
You need to use some REGEX to achieve that, so it would be really useful if you could post 2 lines from your logfile, the first would be a failed su to root, and the second one would be a failed ssh login.

This log is taken from /var/log/secure


Jan 25 13:46:13 servername sshd[7874]: Failed password for root from XXX.XXX.XXX.XXX port 3051 ssh2

Originally posted by bueno
I am wondering to know if there is a way to set up the server to send me an email when the root password failed to authenticate

This way I would know if there's someone trying to guess the root password instead of checking /var/log/secure.


I'm surprised no one has asked - what's the point? Disallow root login via SSH and then ignore the logs. A real threat to your server isn't going to come from someone who tries to guess the root password. It's going to come from insecure software, unpatched daemons, exploits via your users' accounts, exploits via your users themselves, etc.

You're looking in completely the wrong place in terms of improving server security.

Kevin

Let's take your line...

Jan 25 13:46:13 servername sshd[7874]: Failed password for root from XXX.XXX.XXX.XXX port 3051 ssh2

The PHP code would be something like:

<?
/* Let's assign the filename + path */
$file="/var/log/secure";
/* Let's open the file read-only */
$open=fopen($file,"r");
/* Let's read the file */
$read=fread($open, filesize($file));
/* Let's close the file */
fclose($open);
/* Split by lines looking for breaks */
$eachline=explode("\n",$read);
/* Parse each line */
foreach($eachline as $line){
if(preg_match("Failed password for root",$line)){
/* Get some data from that line */
$somedata=explode(" ",$line);
/* Print the results */
echo("Failed root login\n");
echo("Date: ".$somedata["0"]." ".$somedata["1"]."\n");
echo("Time: ".$somedata["2"]."/n");
echo("IP: ".$somedata["10"]);
}
}
?>

You can change the commands in the "print the results" section for a mail fucntion, that way you would have that info sent to your mailbox.

Hope this helps

Originally posted by sigma
I'm surprised no one has asked - what's the point? Disallow root login via SSH and then ignore the logs. A real threat to your server isn't going to come from someone who tries to guess the root password. It's going to come from insecure software, unpatched daemons, exploits via your users' accounts, exploits via your users themselves, etc.

You're looking in completely the wrong place in terms of improving server security.

Kevin

I am not looking to improve my server security :cool:

I know where the hacker will come from, I just want to catch stupid hackers who are trying to play around my server, that's all :D

Here is a simple command that mails u when someone logins and fails to login

grep root /var/log/messages | mail you@yourdomain.com

I can do one in perl and uses regexpr to just get the ones that are failed to login.. :penguin:

thanks SEATi, your clean peice of code is working fine :)

YUPAPA's command does the job :D thanks to you too ;)

Nice to know it was useful, I didn't test it as I wrote it directly here, but I'm glad that I didn't do any typos :)

By the way, you can add the following line at the begining:

#!/path/to/php -q

That way you can chmod it 755 to make it executable and it won't show the HTML/HTTP headers.

After doing so you can add it to a cron with:
(as root)
crontab -e
*/5 * * * * /path/to/your/script.php > /dev/null

That way it will run every 5 minutes and every output will be discarded.

Thanks SEATi

I will give it a try