Checking Logins

Checking Logins

It’s always a concern, when you’ve got an open pipe to the ‘net, as to who’s trying to access your machine. It’s good to take a look at logins periodically, just so you’re aware of any unusual attempted or successful logins to your system.

Today’s tweak is a quick script that checks logins on your system and emails the results directly to you. The script itself is pretty simple, as is it’s execution:

#!/bin/sh

DATE = `/usr/bin/date +%Y%m%d`

last -n 30 | mail tony@localhost -s “$DATE Login Report”

That’s a pretty simple script, really. First, you set a variable named DATE, using the output from the /usr/bin/date command. Further, this output is formatted [+%Y%m%d] to show the date in the YYYYMMDD format. Then, the last command is executed. Last returns all logins since the wtmp file was created. wtmp logs logins to the system. In this script, we execute last using the -n option - “show me only the last n logins” followed by the number of logins you want to see. This output is sent as input to the mail program, which sends an email containing the results of last -n 30 to the tony account on the local machine. Finally, the subject line of the email [-s] will contain the current DATE variable and the string “Login Report.” An email sent today would have a subject line of “20020529 Login Report”.

This command or a reference to the script can be entered into crontab to run automatically each day. With that additional step, you’ll receive an email each morning in your inbox reporting on the last 30 logins to your machine. It’s not perfect, but it’s a good way to keep a high-level eye on use of your system.