Linux Login Detection Redux
Have almost forgotten how fun it is to mess around with a Linux server. Building another Linux server did indeed bring back some memories 
This is another scratchpad post: little to no explanation/breakdown on the script involved (unless there's the "impetus" to elaborate in future). Feel free to ask/discuss in the comments section below though.
Any user who logs in should trigger the sending of the notification email from the server immediately, and if it wasn't an expected login, well at least you'd know it's time to trigger some incident response processes.
As an improved version of the old post on the same topic, this script similarly is to be appended to /etc/profile or the relevant ~/.bash_profile per user.
echo -e "$(hostname) shell access\n$(date)\n$(who)\n\
$(for i in $(who|cut -d"(" -f2|cut -d")" -f1|cut -d":" -f1|sort -u);
do echo -e "==========\nwhois $i"; whois $i;
echo -e "\n=====\nreverse $i"; dig -x $i;
done;)" | \
mail -s "$(hostname) alert: shell access from \
$(who|cut -d"(" -f2|cut -d")" -f1|cut -d":" -f1|tr "\n" " ")" \
'youremail@domain.com'
Changes namely are the adding of whois and reverse IP (DNS PTR) lookups for all IP addresses currently logged on via SSH, and also the use of the more readable $() Bash command substitution expansion rather than the backtick (`).
You will need to have installed the mailutils package (apt-get install mailutils), and probably a MTA like postfix or exim too.
HTH.
Edit 30 Apr 2012: small bug fix in the sequence to extract all IPs from the who command output.
Giving back
Script kiddy. Tool hacker. Tool maker.
In the various infosecurity circles, it is not uncommon to see various people and organizations contributing to community: be it in the form of knowledge/HOWTOs, or discussions, or tools written and released.
While commercial offerings (courses, products, solutions) have their place. It is pretty much the case everywhere to see that most people get started off, and maintain, their training and equipping in the "open source"/free realm.
As a sysadmin turned webappsec ethical hacker turned DFIR geek, the situation is very much the same too. Much of what I know came thanks to those who shared selflessly with the community.
I'm very much a tools kind of person, which is also why I see the scale as from one who only uses (i.e. leeches ) to the ones who know enough to modify/add on to existing tools, to the ones who get their hands dirty, implementing the tools that they envisioned themselves. This is also one of the scales along which I would want to progress professionally: from one who feeds/leeches off the feeders, to eventually feeding the community.
At what stage am I at now? Probably the "tool hacker" kind of stage, although I've been leeching too much of late! Time will tell if I move (up or down this scale), or if priorities change altogether. But whichever the case, it should always hold true that we need to give back to community with our work. And what better way than to start off by giving back the same way we learnt the ropes ourselves?
Definitions
Quoting from Anton Chuvakin's slides in his presentation in 2006 at FIRST:
Log analysis is (the) trying to make sense of system and network logs.
Computer forensics is (the) application of the scientific method to digital media in order to establish factual information for judicial review.
So...
Log forensics is (the) trying to make sense of system and network logs, in order to establish factual information for judicial review.
Makes sense, maybe I've been googling for the wrong keywords all this time! Till of late, I've been looking at this field largely from a data mining viewpoint.