Created
May 17, 2009 19:03
-
-
Save antonlindstrom/113107 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/perl | |
| # | |
| # Script to catch authentication failures in auth.log. | |
| # Catching three different error types. | |
| # | |
| # Author Anton Lindstrom | |
| # [email protected] | |
| use warnings; | |
| use strict; | |
| # Open file, assign to array. | |
| open(MSGS, "auth.log"); | |
| my @messages = <MSGS>; | |
| close(MSGS); | |
| foreach (@messages) { | |
| # Skip if the row does not say fail, failed, attempt or auth. | |
| next if($_ !~ /(fail|attempt|auth)/i); | |
| # Match failed authentication rows. | |
| $_ =~ m/((\w+\s\d+\s\d+:\d+:\d+)(.*)((logname=([\w\-]+).*user=([\w\-]+))|(sudo:\s+([\w\-]+)\s+:\s([a-z0-9\s]+)\s;.*COMMAND=(.*))|((for|user)\s([\w\-]+)\sfrom\s([\w+\-\.\_]+))))/gi; | |
| # Add matched parts to variables for better readability. | |
| my ($date, $logname, $user, $sudouser, $sudomsg, $command, $sshuser, $remotehost) = ($2, $6, $7, $9, $10, $11, $14, $15); | |
| # Check if the match is empty or not, if not empty write that line. | |
| if ($logname) { | |
| print "User $logname attempted to su to $user on $date\n"; | |
| } elsif ($sudouser) { | |
| print "User $sudouser failed to sudo, $sudomsg for command \"$command\" on $date\n"; | |
| } elsif ($remotehost) { | |
| print "Someone from $remotehost attemted to login as $sshuser on $date\n"; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment