Activities

July 2008
M T W T F S S
« Jun   Aug »
 123456
78910111213
14151617181920
21222324252627
28293031  

How to monitor SSH Login activities and FTP logins over the web

Basic Idea behind scripts is,

We can able to monitor the activities of ssh logins,any hacking attempt and ftp logins. The steps are involved in this scripts is

1, first check the log log files for whether there is any entry is present

2, If any lines present in the logs regarding the login activities, write all those lines in our custom web access file.

3, Place the report file in a web accessable location

4, Create a virtual host on Apache for this

5, set a cron to automate the logs creation and removal

########################### Log monitoring scripts ##############

#!/bin/bash
#fingers: Liju mathew ~! lijumathewliju@gmail.com
#created: 27.07.2008
#purpose: to check the status of ssh/logins and notify the system personnel
#      if they are not listening!

today=`date +%d-%m-%y`
day_ftr=`date +%b” “%d`
web_location=/var/www/logs

# In the below example I guess the ssh log files are created in /var/log/secure (on debian /var/lig/auth.log) #and vsftp/proftp logs are created on /var/log/vsftp.log
## SSH Allow script for checking empty data from the file

/bin/cat /var/log/secure| grep “$day_ftr”| grep sshd | grep “Accepted password” &> /dev/null
if [ “$?” -eq “0”  ];then
/bin/cat /var/log/secure | grep sshd | grep “Accepted password” > $web_location/ssh-allow-$today.txt
fi

#SSH -Deny scripts for removing empty file creation
/bin/cat /var/log/secure |grep “$day_ftr” | grep “sshd” | grep “Failed password”$> /dev/null
if [ “$?” -eq “0”  ];then
/bin/cat /var/log/secure |grep “$day_ftr” | grep “sshd” | grep “Failed password” > $web_location/ssh-deny-$today.txt
fi
## FTP Scripts for avioding empty file creation
/bin/cat /var/log/xferlog | grep “$day_ftr” &> /dev/null
if [ “$?” -eq “0”  ];then
/bin/cat /var/log/xferlog | grep “$day_ftr” > $web_location/ftp-log-$today.txt
fi
### ############End of scripts ############

Create a virtual host entry for this

<VirtualHost *:80>

ServerName 182.163.98.2

Alias /logs  “/var/www/html/logs”

<Directory “/var/www/html/logs” >
Options +Indexes
AllowOverride All
Allow from all
Order allow,deny
</Directory>

<Location /logs>
AuthType Basic
AuthName “Admin access details ”
AuthUserFile /var//pwd/prod/passwd
Require valid-user
Allow from all
</Location>

</VirtualHost>

3, Set up a cron for o this

copy this scripts to /var/opt/scripts/ssh_monitor.sh

30 12  * * * /bin/sh /var/opt/scripts/ssh-monitor.sh

That’s it

Note : pls make sure that log file is properly formatted with my  grep comand. If not. pls update it with your required strings.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>