Skip to content
/ howler Public
forked from mricon/howler

Alert when users log in from new locations

License

Notifications You must be signed in to change notification settings

lfit/howler

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

44 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

HOWLER

Get notified when users log in from new locations

Author: [email protected]
Date: 2012-11-07
Copyright: The Linux Foundation and contributors
License:GPLv3+
Version: 0.2

DECRIPTION

Did you ever want to be alerted when one of your users suddenly logged in from somewhere else other than their customary location? E.g. if Bob suddenly logged in from Australia, even though he usually logs in from Memphis? Because that's kinda sketchy, eh?

Having previously used this functionality via a proprietary security device that will remain unnamed, I decided to write this fairly simple script that relies on the GeoIP-City database to keep track of locations from where users log in, and alert me if they suddenly start logging in from elsewhere.

Is this mostly noise? Oh, sure. However, after the initial barrage of emails as users' locations are recorded, the alerts will stop arriving all the time and become more meaningful.

Example email:

This user logged in from a new location:

        User    : mricon
        IP Addr : 198.145.x.x
        Location: Portland, Oregon, US
        Hostname: myhost.kernel.org
        Daemon  : ssh2

Previously seen locations for this user:
        2012-11-08: Monteal, Quebec, CA
        2012-11-08: Cambridge, Cambridgeshire, GB
        2012-11-06: Barcelona, Catalonia, ES
        2012-11-06: Yekaterinburg, Sverdlovskaya Oblast, RU

INSTALLING

Just use the RPM. If you can't use the RPM, you can probably figure out where things go on your own. :) Yes, this section is TODO.

Note that for howler to be more useful than just announcing the country code, you'll need to download GeoLiteCity.dat. You can get it from maxmind.com for free (but it's not redistributable).

OPERATION

The only mechanism currently provided is via rsyslog. The default configuration works by sending all syslog strings coming from the 'sshd' daemon to howler-rsyslog-helper, which parses the info out of lines containing successful login information and sends that to howler.

Using rsyslog for this is sub-optimal, as it requires making an external exec call from the rsyslog process. If you have a lot of logins, this will probably interfere with rsyslog's operation and slow things down.

I will be adding Epylog support for Howler in the near future (for the 2 people in the world who use Epylog). This can probably be made to work via journal, too.

Other contributions are welcomed!

SUPPORT

Please use github project page https://github.com/mricon/howler to request support or features.

About

Alert when users log in from new locations

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 99.8%
  • Shell 0.2%