Sometimes you just want to know who is doing what. Like, for instance, if someone logs in as root on one of your systems… and it isn’t you.
Installing a script to send an alert to your Google Talk IM to alert you when somebody logs in as root is as inexpensive as a monitoring system can be. This article will provide a step by step, as tested on CentOS 4 and 5.
First, create a Google Talk Account for your alert script to use. You are going to need an account that you can use just to send messages from. You can use one account for all of your boxes or one account per box, depending how much you need to monitor. For now, let’s call the account
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
, and its password will be passwordxxxyyy.
For this task, you’re going to need to install a good chat application that we can script to. With that in mind, let’s use freetalk, which is primarily a command-line Google Talk client. Before you grab the code to install it, be sure you have the required dependent packages installed:
yum install readline readline-devel guile* glib* loudmouth*
Now, create a temp directory somewhere and get freetalk. Once the tarballed code is downloaded and extracted, run the usual trinity of commands to build the app:
./configure
make
make install
You should now have freetalk installed. If you check the examples provided with this application, you can see that it is scriptable enough for us to play with it.
Create a file called sendWarning.ft (or whatever you want to called it) and enter the following:
#!/usr/local/bin/freetalk -s
!#
; file: sendWarning.ft
;;; Example:
; chmod +x sendWarning.ft
; ./sendWarning.ft
(ft-set-jid! " This e-mail address is being protected from spambots. You need JavaScript enabled to view it ")
(ft-set-server! "talk.google.com")
(ft-set-password! "passwordxxxyyy")
(ft-set-sslconn! #t)
(if (ft-login-blocking)
(begin
(ft-send-message " This e-mail address is being protected from spambots. You need JavaScript enabled to view it "
"Root Login on aaa.bbb.ccc.ddd")
(ft-disconnect))
(display
"Could not connect\n"))
Replace This e-mail address is being protected from spambots. You need JavaScript enabled to view it
with your account information. Replace aaa.bbb.ccc.ddd with the IP address of the box you want to monitor. Save the sendWarning.ft file.
Open /root/.bash_profile and add this line:
/path/to/scriptabove/sendWarning.ft
Save .bash_profile.
The next time the root user logs in on the monitored server, the sendWarning script will send a message into your personal Google Talk account.
Next time, we will see how to achieve the same results with PHP on the command line.
