All geek questions in one place

Detecting authentication attempts from ssh / console from a Linux application

There is a task to detect successful and unsuccessful attempts to login from a Linux application in C ++. What is the best way to do this?

I found only 2 ways: 1) Check / var / logs / secure by timeout 2) Use inotify on / var / logs / secure

But there is a problem that two or more failed logins in / var / logs / secure look like "PAM 2 more authentication errors", and this line does not appear at the time of a failed login.

+5
source share
2 answers

On a decent system, /var/log/wtmp and /var/log/btmp are the best places to check. Glibc provides functions to facilitate access: getutxent , getutxid , getutxline , etc.

Also check out the behavior of utmpdump -f /var/log/wtmp , this is very close to what you want (decode wtmp and follow the new events).

+1
source

None of the above. This is actually much simpler:

1) Open the file

2) call read() ) again in non-blocking mode to read the data.

3) If you get -EWOULDBLOCK , then do a select() . If the data is ready to read, return to step 2.

4) If the timing expires (say, 1 second timeout), check if the file has been rotated. (Easy way: check ctime on the new file, but probably the best way. Look at the tail -F .. sources.) If a new file has been created, call close() and go to 1. Otherwise, go to 3.

Also, see fail2ban .

0
source

Source: https://habr.com/ru/post/1201562/

More articles:


All Articles