How to get email message when ever someone logs in webmin/usermin/ssh/ftp

Hey James,

That seems like it'd be a lot of emails, wouldn't it? logwatch on Red Hat and Fedora systems will send you a daily message with a summary of logins and such (though it doesn't watch the Webmin/Usermin logs, by default, it could be configured to do so). It lives here, if you're on some other OS that doesn't have it by default:

http://www2.logwatch.org:81/

To do exactly what you're after, you'd have to have a program tailing the logs of all of the services you want to monitor, which recognizes login events (which look different in every service) and then sends out the message. I've written a perl script that did this for the Squid store.log in the distant past, and I'm sure I could dig it up for you, if you wanted to see an example of writing such a daemon program in perl. But, even with an example, you'd still have to write quite a bit of code.

What problem is it you're actually setting out to solve? There might be a better way.

BTW-If you're running a Red Hat variant and not getting those daily logwatch messages, you'll want to check to be sure you have created an alias for root pointing to some mailbox you check regularly.

Hey James,

I've never seen your systems, got no idea about anything specific, but I'd give you 10 to 1 odds that your system was exploited via weak passwords. Hell, make it 100 to 1. 95% of exploited systems I've ever seen (and I've seen a lot of them...I did years of contract work cleaning up security incidents) have been traced back to a weak password.

Enforce strong passwords on your systems, and almost all exploits go away. A strong password is one that is greater than 8 characters, includes both numbers and letters, and preferably a special character. Webmin has the ability to enforce reasonable password policy, so you might try enabling those features, if you can't trust your users to use strong passwords consistently.

The other 5% were due to running old versions of software that had known security flaws. So, when you're finished changing all of your passwords (you've also gotta make sure your users are using strong passwords) to something strong, make sure you've got your system up to date. yum, up2date, yast, urpmi, apt-get, whatever your system uses...run it daily.

Webmin and Usermin automatically protect against brute force password attacks by locking out users that enter incorrect passwords, but FTP and SSH don't. There's ways to limit the speed at which such attacks occur via firewall, and the servers might also be configurable to protect against such attacks...I'll look into it (SSH wasn't capable of it, last time I looked, but it seems like it's something that would have shown up by now).

For the sake of semantics, I'll answer the original question. :)

man mail

Use the man page to construct a command that sends the appropriate e-mail message with the information you want to see. Add that command to the system-wide login scripts (/etc/csh.login and /etc/profile I think...varies by OS). That takes care of ssh and ftp (presuming all ftp users use either bourne or csh), so far as webmin goes, I'm sure you can hack the perl scripts to call your command as well.

I'm with Joe - fix the source of the problem, don't treat the symptoms.