Triggering events upon IP/Port activity

Discussion in 'Mac Programming' started by ebt, Jan 20, 2011.

  1. ebt macrumors newbie

    Joined:
    Jan 19, 2011
    #1
    Hi All,

    Im a complete newbie when it comes to mac's, but I got advised that my previous thread in "new to macs" was probably better raised here.

    Sooo, Im after a way to spot incoming ssh attempts (I've got my remote login share open so I can annoy my macbook remotely) and to trigger an alert to the user if someone tickles it. I guess I could do it with a loginhook (for successful logins) in combination with growlnotify, but that of course wouldnt alert me to someone attempting to login and failing.

    At the moment Im as far as using w piped through grep to list the login ID and remote systems IP and using growlnotify to pop up a dialogue with this info (it remains on screen until such time as I click to acknowledge it)..... Im missing the triggered bit.... and the 'any' ssh activity.

    Any ideas? (please be gentle, it hurts to engage BOTH braincells)
     
  2. subsonix, Jan 20, 2011
    Last edited: Jan 20, 2011

    subsonix macrumors 68040

    Joined:
    Feb 2, 2008
    #2
    Doesn't sshd sends it's output to the system log? Have you looked there?


    Edit: if you want to control the logging policy of your ssh server (sshd) then you need to edit the sshd_config file. Just a note though, do your homework before making any changes to this so you are absolutely sure about the consequences. You can set logging policies and just about anything you can imagine. There should be no need for extra duct tape scripts.
     
  3. ulbador, Jan 20, 2011
    Last edited: Jan 20, 2011

    ulbador macrumors 68000

    ulbador

    Joined:
    Feb 11, 2010
    #3
    i think you are probably overengineering this problem...

    Install growlnotify from the extras folder in the growl DMG. Create a file at:

    ~/.ssh/rc

    Put something like this in it:


    /usr/local/bin/growlnotify -m "Adam logged in via ssh" -t "SSH Notification"


    Maybe make it executable?

    chmod u+x ~/.ssh/rc

    Profit!! Or something like that. Now when you ssh in, a growl notification happens

    Of course you could put any command line program in the rc script, so be creative...

    The bottom line is that when you ssh in, a file in the user's home directory under the hidden .ssh directory named "rc" is executed. If you want it to do something when someone SSHes in, put it in there
     
  4. subsonix macrumors 68040

    Joined:
    Feb 2, 2008
    #4
    Except that it's not ssh running on the receiving end when someone is logging in from the outside, but sshd. Which already have extensive logging options as a default.
     
  5. ulbador macrumors 68000

    ulbador

    Joined:
    Feb 11, 2010
    #5
    haha..... it works.. trust me. SSH and SSHD use the same .ssh folder in the default configuration

    Code:
    myhostname:~ adam$ ssh adam@myhostname -p22
    Password:
    Last login: Thu Jan 20 13:26:56 2011
    This is the ~/.ssh/rc file MOTD! Welcome!
    myhostname:~ adam$
    
    With this in my ~/.ssh/rc file

    Code:
    echo "This is the ~/.ssh/rc file MOTD!  Welcome!"
    
     
  6. subsonix macrumors 68040

    Joined:
    Feb 2, 2008
    #6
    No need to be trolling! I'm just telling you that ssh (the client) is not running (necessarily) when someone is logging in but the server. I was referring to the sshd_config file located at: /private/etc/sshd_config

    As you can see, in it you can set default logging options of the ssh server and what is logged to the system log. How is that funny/ not correct?
     
  7. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #7
    I don't see how an ~/.ssh/rc file answers the OP's question.

    He wants to see "incoming ssh attempts" [emphasis added]. I don't think the rc file is executed for an attempt to connect; the attempt must succeed first. Attempts that fail execute nothing (and sensibly so).
     
  8. ebt thread starter macrumors newbie

    Joined:
    Jan 19, 2011
    #8
    Thanks for the pointers, as Chown points out though I also want to see failled login attempts.

    Imagine you're blessed with a healthy dose of Paranoia... and that your remote login is enabled (for a variety of reasons). Now, you'd like to see;

    1. When someone logs in via ssh, in real time as a pop up alert
    2. When someone is attempting to login via ssh (so you dont have to wait for them to brute force etc your password), in real time as a pop up alert.

    Et voila.... welcome to my own little corner of paranoia :D
     
  9. ulbador, Jan 20, 2011
    Last edited: Jan 20, 2011

    ulbador macrumors 68000

    ulbador

    Joined:
    Feb 11, 2010
    #9
    Well, I'll tell you right now, if you are on a publicly routable IP address, you will get LOADS of attempts. It should take about 12 minutes before you get so sick of seeing attempts that you just turn it off. I run a farm of servers and I can't tell you how many hits there are to port 22 on our firewall. All my servers have SSH enabled and I have not had a security incident in a decade (beyond those caused by crappy-ass Vbulletin exploits)

    SSH is one of the more secure protocols on the Internet, and thousands of servers that have a lot more interesting information than your file share are publicly accessible. Not to say it's hack-proof by any stretch, but there really isn't an issue with leaving it running fulltime, especially if you take a few extra steps.

    1. Change the default port number. This will stop anybody just casually scanning for a running service. Someone will then have to know you are there and that you are trying to hide something (and subsequently do a deep scan). This is usually the first step I take when I set up a new server
    2. Disable root from logging in. On OSX this generally isn't an issue anyway
    3. Use public/private keys that are encrypted with a password instead of SSH interactive logins. With this, not only does it require the password in your head, but a copy of the key that is transmitted (and it's all automated, so you really don't have to worry about keeping track of a file once it is set up)
    4. Only permit SSH2. I can't remember if this is default in OSX or not, but it should be everywhere now. SSH1 has been completely cracked and exploited.

    I just suggest you not worry about SSH attempts because there will probably be many of them (unless of course there are other reasons that you want to see requests that generally are going to be shut down by the security built into SSH anyway.
     
  10. ebt, Jan 20, 2011
    Last edited: Jan 20, 2011

    ebt thread starter macrumors newbie

    Joined:
    Jan 19, 2011
    #10
    Fair enough, more to learn :)

    So, a loginhook should do the job then I guess.
     
  11. ulbador macrumors 68000

    ulbador

    Joined:
    Feb 11, 2010
    #11
    For a successful login, just do as I mentioned above, with the rc script in ~/.ssh. Otherwise you will be executing the action every time you open a terminal and startup your computer and such

    For an unsuccessful login monitor /var/log/secure .. Though as I mentioned be prepared for this (and this is from my home iMac that I left on the default port):

    Code:
    
    
    Jan 11 23:53:28 daMac sshd[5829]: Invalid user ethan from 120.199.64.54
    Jan 11 23:53:30 daMac sshd[5831]: Invalid user ethan from 120.199.64.54
    Jan 11 23:53:33 daMac sshd[5833]: Invalid user ethan from 120.199.64.54
    Jan 11 23:53:35 daMac sshd[5835]: Invalid user ethan from 120.199.64.54
    Jan 11 23:53:38 daMac sshd[5837]: Invalid user ethan from 120.199.64.54
    Jan 11 23:53:40 daMac sshd[5839]: Invalid user ethan from 120.199.64.54
    Jan 11 23:53:42 daMac sshd[5841]: Invalid user ethan from 120.199.64.54
    Jan 11 23:53:45 daMac sshd[5843]: Invalid user matthew from 120.199.64.54
    Jan 11 23:53:47 daMac sshd[5845]: Invalid user matthew from 120.199.64.54
    Jan 11 23:53:49 daMac sshd[5847]: Invalid user matthew from 120.199.64.54
    Jan 11 23:53:52 daMac sshd[5849]: Invalid user matthew from 120.199.64.54
    Jan 11 23:53:54 daMac sshd[5851]: Invalid user matthew from 120.199.64.54
    Jan 11 23:53:57 daMac sshd[5853]: Invalid user matthew from 120.199.64.54
    Jan 11 23:53:59 daMac sshd[5855]: Invalid user matthew from 120.199.64.54
    Jan 11 23:54:01 daMac sshd[5858]: Invalid user matthew from 120.199.64.54
    Jan 11 23:54:04 daMac sshd[5860]: Invalid user matthew from 120.199.64.54
    Jan 11 23:54:06 daMac sshd[5862]: Invalid user nicholas from 120.199.64.54
    Jan 11 23:54:09 daMac sshd[5864]: Invalid user nicholas from 120.199.64.54
    Jan 11 23:54:11 daMac sshd[5866]: Invalid user nicholas from 120.199.64.54
    Jan 11 23:54:13 daMac sshd[5868]: Invalid user nicholas from 120.199.64.54
    Jan 11 23:54:16 daMac sshd[5870]: Invalid user nicholas from 120.199.64.54
    Jan 11 23:54:18 daMac sshd[5872]: Invalid user nicholas from 120.199.64.54
    Jan 11 23:54:20 daMac sshd[5874]: Invalid user nicholas from 120.199.64.54
    Jan 11 23:54:23 daMac sshd[5876]: Invalid user nicholas from 120.199.64.54
    
    
    7000 lines of that. And that's just from the last time the logs were rolled
     
  12. Guiyon macrumors 6502a

    Joined:
    Mar 19, 2008
    Location:
    North Shore, MA
    #12
    That's why I ended up configuring SSHGuard on all my systems. 2 'attacks' (invalid user or password) from an IP and a IPFW rule gets added which blocks all traffic from that IP. Made my logs MUCH smaller.
     
  13. ulbador macrumors 68000

    ulbador

    Joined:
    Feb 11, 2010
    #13
    That works until you accidentally lock yourself out of a production system because you are tired and fat fingering a password :)
     

Share This Page