16.7 An Example for Automatic PagingFor this example, you will arrange to be paged on unsuccessful telnet login attempts. The only existing entry in your /etc/syslog.conf that has an action of displaying on logged in users' screens is *.warn;authpriv.notice;auth.notice bob,root and it generates the following output (on a single line): Nov 22 22:07:37 cavu login[24072]: invalid password for `UNKNOWN' on `ttyp6' from `cavu' Unfortunately, there is no documentation or simple way to determine which facility (before the ".") and priority (after the ".") telnetd is using to generate this message. It is suggested that you edit the /etc/syslog.conf file, copy this line, comment out the original, edit the copy to specify only some of the selectors, and force the message to be generated and see whether it appears. The telnetd daemon says "UNKNOWN" if the person entered an account name that is not in /etc/passwd; otherwise it will list the account name, such as "bob". You might want to modify your telnetd so that instead of saying "UNKNOWN" it will say "U-joe" so that if they are trying to guess account names you will see "U-joe", "U-joe", "U-jane", "U-jane", etc. and assume that they are trying a few likely passwords on common account names. Note that you must separate the selectors from the actions with tabs, not spaces. I first tried authpriv.notice bob I then did ps axlww | grep syslog to find the PID (97 in my case) for syslog and then sent it the HANGUP signal to cause it to reread the /etc/syslog.conf file thusly: kill -1 97 I then tried to telnet in with a bogus login sequence but I did not see the login message so this is the wrong selector. I then tried auth.notice bob (and sent the kill -1 97) and tried to telnet in. This generated the message so this is the selector to use. You first need to create a shell script (or Perl or C program) to transform this error message to an appropriate Mail command to activate the pager. Due to a limited pager message length, you want to edit down the message. The following script does the job. It may be invoked from any shell. It could be named /usr/local/bin/syslog_login. #!/bin/csh -f loop: set x="$<" echo "$x" | grep -q ': invalid password' if ( $status == 0 ) then echo "$x" \ | sed "s/^... .. ..:..:.. \([^ ]*\).*: invalid password for /BAD PW:\1:/" \ | Mail 1234567@skytel.com endif goto loop This will cause the following to appear on your pager once you put this feature into operation. This shows what system he is using telnet from so you know how alarmed to be. BAD PW:cavu:`bob' on `ttyp6' from `cavu' Because your pager will indicate the time of the page, do not clutter the screen with a time-stamp. Next you need to create the named pipe that will convey the data from syslog to this script. This pipe only needs to be created once as root thusly: mknod /usr/local/etc/syslog_auth p chmod 600 /usr/local/etc/syslog_auth Next, you need to arrange for this script to be started on system startup. In Red Hat or Slackware, you could add the following line to the /etc/rc.d/rc.local file: (/usr/local/bin/syslog_login < /usr/local/etc/syslog_auth)& You then would want to start this the first time by issuing the command to a root shell or simply by rebooting if that would not be inconvenient.
Usually this involves a set of rescue disks. Normally, these are created when the system first is installed and also should be done after major updates. They consist of a copy of your kernel (patched with rdev to expect the root file system on floppy) and a compressed image of a suitable rescue root file system. The rescue root file system floppy can be copied with dd from your Linux distribution CD-ROM. The procedure for all of this is described in the Linux Administrator's Documentation. Finally, you need to alter that entry in /etc/syslog.conf to read auth.notice |/usr/local/etc/syslog_auth and then use kill to send a SIGHUP to syslogd. Now you are ready to test this by trying to telnet in with a bogus password or login ID. |
Top |