First shell script-monitors rogue logons to remote servers

Source: Internet
Author: User

recently learned Linux system logs and scheduled tasks on the subway coming home from work with inspiration. , try to write your own first script to monitor if there is a malicious login to the server, send an email to notify the administrator. Not yet learned how to send an e-mail to the administrator, currently only the command line reminders and logging, the content of the script is relatively simple, are the basic knowledge of learning, ingenious.

1. First write a script:

Define a variable LT, the value of the variable is the number of rows listed by the LASTB command (that is, the number of invalid logins, if there is a malicious login, the number of rows will become more);

Executes an if judgment statement, and if the defined value is greater than 15 times, it is determined to be a malicious login, notifying the administrator.

The script reads as follows:

[email protected] ~]# cat #!        /bin/bash# defines the variable LT and logs the number of invalid logins; lt= ' Lastb |wc-l |cut-d '-F 1 ' If [$LT-gt "]" #判断无效登录的次数如果大于15的话, perform the following operations; Then echo ' Somebody try to login ' please check log ' #打印有人尝试登录系统请检查日志fi

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

2. Write a scheduled task

Automatically executes the above script every minute

[Email protected] ~]# CRONTAB-L*/1 * * * */bin/sh/root/

3. Viewing effects

More than 15 logins in the current command line mode will prompt, there is a new message under/var/spool/mail/root;

[Email protected] ~]# you have new mail in/var/spool/mail/root

Check the new mail, you will find the contents of the script to prove that someone is trying to log on the host;

[Email protected] ~]# Tail-2/var/spool/mail/root Somebody try to login please check log

Execute the LASTB command to see a record of many login failures found

[[email protected] ~]# lastb |headuser1    ssh:notty     Tue Apr 21 22:04 - 22:04   ( 00:00)     user1    ssh:notty      Tue Apr 21 22:04 - 22:04   (00:00)      user1    ssh:notty      tue apr 21 22:03 - 22:03   (00:00)     user1     ssh:notty     tue apr 21  22:03 - 22:03   (00:00)     user1    ssh:notty     Tue Apr 21 22:03 -  22:03 &nbSP; (00:00)     user1    ssh:notty      Tue Apr 21 22:03 - 22:03   (00:00)      user1    ssh:notty      Tue Apr 21 22:03 - 22:03   (00:00)     user1     ssh:notty     tue apr  21 21:29 - 21:29   (00:00)     user1     Ssh:notty     tue apr 21 21:29  - 21:29   (00:00)     user1    ssh:notty     tue apr 21 21:29 - 21:29    (00:00)

Viewing the/var/log/secure log also finds records with multiple login failures

Apr 21 22:03:35 localhost unix_chkpwd[1501]: password check failed for  user  (user1)  apr 21 22:03:35 localhost sshd[1499]: pam_unix (Sshd:auth ):  authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=user1apr 21 22:03:36 localhost sshd[1499]: failed  password for user1 from port 50591 ssh2apr 21  22:03:39 localhost unix_chkpwd[1502]: password check failed for user  ( User1) Apr 21 22:03:41 localhost sshd[1499]: failed password for user1  from port 50591 ssh2apr 21 22:03:44 localhost unix_ chkpwd[1503]: password check failed for user  (user1) Apr 21 22:03:46  localhost sshd[1499]: failed password for user1 from port 50591  ssh2Apr 21 22:03:49 localhost unix_chkpwd[1504]: password check  failed for user  (user1) apr 21 22:03:51 localhost sshd[1499]: failed  password for user1 from port 50591 ssh2Apr 21  22:03:52 localhost sshd[1499]: failed password for user1 from port 50591 ssh2apr 21 22:03:54 localhost sshd[1500]:  Received disconnect from 0:

Depending on the source IP of the access log, we can set the iptables rule to the source, prohibit access to the server's port 22, or close the IP address;

Temporarily only so much, little pride, give yourself a little self-confidence, I believe that after the study will be more in-depth understanding of Linux;

Share with you, mutual encouragement.

This article is from the "Model Student's Learning blog" blog, please be sure to keep this source

First shell script-monitors rogue logons to remote servers

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.