A Few Security Question 3

[Germo]

Hi All,

I wonder if you can help with a few security questions

1. I want to log all users on our system that id's start with "rtops" that log in and log out, I can't figure out how I can do this but any help from you would be great.

2. The message you get when FTP'n from one server to another... where is this held? and can it be amended? abit like the /etc/motd text file when you telnet to a server.

Thanks

 

[rzs0502]

2. Edit /etc/ftpaccess.ctl and add
herald: /etc/motd

Stop and start ftpd

1. Do you want to just log and entry every time the user logs in and out? You can use the syslog.



"If you always do what you've always done, you will always be where you've always been."

 

[Germo]

Thanks,

Do I create the /etc/ftpaccess.ctl if there isn't one present? If so does only have to have the herald parameter in it?

 

[rzs0502]

I had to create this on almost all my servers.

You can put in other options for added security.
If you have man pages installed, check man ftpd for some of the other options.


"If you always do what you've always done, you will always be where you've always been."

 

[Germo]

Thanks for that.

In reference to the logging question, I want to trackdown and log all the time rtops??? id's login and out as these ids shouldn't be logging onto this certain server, I am not bothered about other id's at the moment.

Thanks

 

[rzs0502]

We've had to do this with developers on prod servers. Eventually we put login time restrictions on their accounts to prevent them from coming in.
Previously, we added a script to /etc/profile that sent out a mail whenever a matching user id logged in.

If they come in via SSH, syslog will be reporting this already and you can put a wrapper script to read this and report if there is a user id match.

I'm not sure if there is another better way of doing this using an AIX built-in function.



"If you always do what you've always done, you will always be where you've always been."

 

[p5wizard]

if you put this in /etc/profile, right after the
readonly LOGNAME
line:

case "${LOGNAME}" in
 rtops*)
  if [ ! -f /tmp/rtops.log ]
  then
   touch /tmp/rtops.log
   chmod 666 /tmp/rtops.log
  fi
  echo "${LOGNAME} logged in on $(date)" >>/tmp/rtops.log
  trap 'echo "${LOGNAME} logged out on $(date)" >>/tmp/rtops.log; exit' 0
  ;;
 *)
  ;;
esac

you'll get the rtops??? login and logout date/times in /tmp/rtops.log:

rtops01 logged in on Thu Sep 8 09:08:23 2005
rtops01 logged out on Thu Sep 8 09:08:28 2005

You can use a different logdir but it has to be writable by the rtops??? users so it is not hack-proof.

Also check the man page for date to format date/time differently.

Note: as you are modifying /etc/profile, stay logged in on one session while you experiment logging in/out on another session, if you typed in an error, it will be easier to correct it on the session you still have if you cannot login on another session anymore...

HTH,

p5wizard

 

[trifo]

Hi Germo!

If I get your point, you need the login/logout times of usernames beginning with rtops.

This information is well contained id the wtmp database. You can use fwtmp command to extraxt data from it to ASCII format then you can handle it easily from any script.

--Trifo

 

[Germo]

Thanks p5wizard,

That has done the trick, just what I wanted.

All I have to figure out now is how to setup the parameters in the /etc/ftpaccess.ctl file so that when users ftp to a server the message they get isn't

#####################################################
--> ftp servername
Connected to servername.
220 servername FTP server (Version ?.?.? Thu Sep 12 23:46:23 CDT 2002) ready.
Name (servername):
#####################################################

but more like

#####################################################
Connected To A Security Server.
220 FTP server (Thu Sept 12 23:46:23 CDT 2002)ready
Name :
#####################################################

Thanks

 

[p5wizard]

Trifo,

IMHO wtmp only stores login times, not logout times. Hence the script I provided.



HTH,

p5wizard

 

[needcoffee]

p5wizard

wtmp captures the login and logout time per user connection and shows the duration of the session. The only time it does not output logout time is if the user is still logged in. I added the script below to root's cron so it is processed every night before wtmp is cleaned out. This is used as a backup to system auditing.

# Created 04/25/2005 by needcoffee
# Script to capture wtmp log file before it is cleared by nightly log cleanup
# and append the output to a secure logfile with time/datestamp.
# 04/26/2005 -nc: Changed destination path, added var endstamp, added command
# to append endstamp to end of daily last capture.

# Get date for logname
today=`date | awk '{print $2$3$6}'`

# Get date for end time/date stamp
endstamp=`date | awk '{print $2,$3,$6,$4,$5}'`

# Process wtmp log and create readable log for everyday

/usr/bin/last > /auditdir/audit/lastlogs/lastlog$today.txt
print "wtmp ends      $endstamp" >> /auditdir/audit/lastlogs/lastlog$today.txt
/usr/bin/chmod 400 /auditdir/audit/lastlogs/lastlog$today.txt

Only root has access to read the files and only root has access to /auditdir.

Germo,
You could easily use grep or sed to capture just the id's you are looking for.

Good Luck,
needcoffee

 

[p5wizard]

Needcoffee,

Care to enlighten me? User user01 telnetted for about 5 seconds and then again for about 1 minute.

# /usr/sbin/acct/fwtmp <wtmp | tail -500|grep -v ' rsh'
         pts/1     pts/1    6 75164 0000 0000 1126247947 loopback     Fri Sep  9 08:39:07 DFT 2005
user01   pts/1     pts/1    7 75164 0000 0000 1126247954 loopback     Fri Sep  9 08:39:14 DFT 2005
         pts/1     pts/1    8 75164 0000 0000 1126247971              Fri Sep  9 08:39:31 DFT 2005
         pts/1     pts/1    6 75166 0000 0000 1126247973 loopback     Fri Sep  9 08:39:33 DFT 2005
user01   pts/1     pts/1    7 75166 0000 0000 1126247984 loopback     Fri Sep  9 08:39:44 DFT 2005
         pts/1     pts/1    8 75166 0001 0000 1126248044              Fri Sep  9 08:40:44 DFT 2005

(I condensed the output a bit to get the text records on one line.)


p5wizard (not acctwizard ;-))

 

[hirschaj]

Hey p5wizard, check out the output from "last". That is what needcoffee was referring to. Should clear things up a bit.


Jim Hirschauer

http://www.aixexpert.com

 

[p5wizard]

Thanks - should have taken a closer look at NC's script...

HTH,

p5wizard