DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th June 2018
raindog308 raindog308 is offline
Fdisk Soldier
 
Join Date: Sep 2011
Posts: 67
Question Send email on login. How?

I have a system that serves as an ssh access point for my home network. It was a Linux system but I'm moving it to OpenBSD.

Only ssh is permitted and I am the only person who would login. In Linux, I used this technique so that an email was sent every time someone logged in:

http://blog.th-neumeier.de/2011/02/s...gin-using-pam/

Unfortunately, that relies on on PAM, which OpenBSD doesn't use.

I'm wondering how I can achieve the same thing in OpenBSD?

Some thoughts I've had:

- Maybe it's a better idea to have something watch the auth log or receives auth system logs and sends emails? Then of course I have to find that something and configure it.
- I honestly haven't spent a lot of time with syslog and could research to see if it can send email or call arbitrary scripts.
- I could do this as part of my user .profile or as part of /etc/profile

I'm sure some security graybeard will come along and tell me why this is all silly and not adding to my security and that's fine, too :-)
Reply With Quote
  #2   (View Single Post)  
Old 30th June 2018
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

My opinion if I understand you is:

Configure pf.conf to screen or filter users or source addresses using table.
You can limit login's from the network only or network and outside IP address's.
You can limit login's as well from certain users.

OpenBSD "suggests" that pf is the preferred method for filtering/screening than
using SSH.

Once set up in pf you can view log files as and when desired.

OpenBSD FAQ, man SSH, man SSHd, man pf should help you.

Also, take a look at setting up auto jobs in CRON if desired, if you don't use pf.

Last edited by frcc; 30th June 2018 at 12:21 PM. Reason: add info
Reply With Quote
  #3   (View Single Post)  
Old 30th June 2018
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Quote:
Originally Posted by frcc View Post
OpenBSD "suggests" that pf is the preferred method for filtering/screening than
using SSH.
But how pf would differentiate between unsuccessful login attempt or successful login attempt?
I know pf can be used against port scanning and some resource exhausting behaviors of malicious bots, but does it know whether login was successful?
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #4   (View Single Post)  
Old 30th June 2018
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

Quote:
Originally Posted by e1-531g View Post
But how pf would differentiate between unsuccessful login attempt or successful login attempt?
I know pf can be used against port scanning and some resource exhausting behaviors of malicious bots, but does it know whether login was successful?
Depending on the posters intention (which i am not exactly clear on)

He can use the "log" syntax in Pf which will create a log for any
blocked/dropped/passed packet he chooses. Packet filtering would pre-emt
any SSH login attempt based on his filter rules.

Also, the "table" syntax can be used to quickly determine sources to
be accepted or rejected in route to an SSH port.

One can filter users in SSH but if I remember correctly OpenBSD recommends performing
filtering in Pf. Also, OpenBSD points to using "table" as the fastest method of looking up those
sources that one wishes to filter if that number is significant.

The user can then audit Pf logs/failed login attemps or some other means of audit such as a
script of some sort possibly using CRON.

One could also use host (allow deny) but again OpenBSD recommends using Pf as its perferred
method.

I apologize if I am not understanding the posters intent, but if I want to filter almost anything
it would start with Pf, logs, and system logs.

Last edited by frcc; 30th June 2018 at 07:04 PM. Reason: clarify and add to post
Reply With Quote
  #5   (View Single Post)  
Old 30th June 2018
PapaParrot's Avatar
PapaParrot PapaParrot is offline
parrot
 
Join Date: Jul 2015
Location: Durango, Mx.
Posts: 472
Default

Maybe I am misunderstanding as well, but any way, I would look at
"login.conf"
Code:
 man login.conf
and then also the:
Code:
$ man motd
Quote:
MOTD(5) File Formats Manual MOTD(5)

NAME
motd - message of the day
Code:
# Authpf accounts get a special motd and shell
#
authpf:\
	:welcome=/etc/motd.authpf:\
	:shell=/usr/sbin/authpf:\
	:tc=default:
Instead of, or as well as displaying a welcome message, maybe a command to send a e-mail could be added ?

Does the OP know about the "last" command ?
Code:
man last
Quote:
LAST(1) General Commands Manual LAST(1)

NAME
last - indicate last logins of users, ttys, and hosts
=============
DESCRIPTION
The last utility will either list the sessions of specified users, ttys,
and hosts, in reverse time order, or list the users logged in at a
specified snapshot date and time in reverse time order. Each line of
output contains the user name, the tty from which the session was
conducted, any hostname, the start and stop times for the session, and
the duration of the session. If the session is still continuing or was
cut short by a crash or shutdown, last will so indicate.

The options are as follows:

-c Calculates the total time displayed and prints it after the
output.

-d date Specify the snapshot date and time. All users logged in at
the snapshot date and time will be reported. This may be used
with the -f option to derive the results from stored wtmp
files. When this argument is provided, all other options
except for -f and -n are ignored. The argument should be in
the form "[[[CC]YY]MMDD]hhmm[.SS]" where each pair of letters
represents the following:
I use it quite a bit to see who and when the last person to login to the server is/was. But I have never felt a need to have it (the system) send me a e-mail every time I or someone else logs in. How ever it might be possible to write some kind of script that sends the "snapshot" to a e-mail address , or something .
It sounds to me like that is all the OP wants, is that a e-mail is sent to them when someone does login, so for example if some one logged it as the admin, somehow, the OP would receive a e-mail showing that, but it still does not make much sense to me, if the OP is the only one that will be logging in, nobody else will be logging in, it does not make sense to me why they need a e-mail to tell them they logged in.
If the OP can clarify better exactly what it is they need or want to do, it would help.
====edited=====
I found this, but it is for Linux, how ever it does not require "PAM", : https://www.vultr.com/docs/enable-ss...ation-on-linux
Quote:
Open the file ~/.bashrc in a text editor.

Append the following lines:


Code:
IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)"
HOSTNAME=$(hostname)
NOW=$(date +"%e %b %Y, %a %r")

echo 'Someone from '$IP' logged into '$HOSTNAME' on '$NOW'.' | mail -s 'SSH Login Notification' YOUR_EMAIL_ADDRESS
The other thing, for example on my system, I am using ksh, instead of bash, there is no "bash" on my system, but it seems to me like the script could be modified for csh or ksh, depending,... or maybe you do use bash ?
I just now found this, and am not even sure this is what the OP is actually wanting, it seems like it is, any way, I have not had a chance to try modifying the script, there may be someone more expert then me that could help there, if it is what the OP wants to do.
__________________
My best friends are parrots

Last edited by PapaParrot; 1st July 2018 at 05:34 PM. Reason: spelling, punctuation
Reply With Quote
  #6   (View Single Post)  
Old 1st July 2018
PapaParrot's Avatar
PapaParrot PapaParrot is offline
parrot
 
Join Date: Jul 2015
Location: Durango, Mx.
Posts: 472
Default

Experimented with the script, ended up putting it in my ~/.profile and it seems to work,
I just tried on a "localhost" situation, and it does send me a e-mail notice:
/home/garry/.profile
Code:
# $OpenBSD: dot.profile,v 1.4 2005/02/16 06:56:57 matthieu Exp $
#
# sh/ksh initialization

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
export PATH HOME TERM
PS1='Enter your command: '
IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)"
HOSTNAME=$(hostname)
NOW=$(date +"%e %b %Y, %a %r")
echo 'Someone from '$IP' logged into '$HOSTNAME' on '$NOW'.' | mail -s 'SSH Login Notification' garry@garry.garry.org
Quote:
from: garry <garry@garry.garry.org>
To: garry@garry.garry.org
Subject: SSH Login Notification

Someone from 127.0.0.1 logged into garry.garry.org on 30 Jun 2018, Sat 09:10:51 PM.
I am not positive this is what the OP is looking for though.
========== edit
I also tried it on my server, and used my regular e-mail address at a external e-mail service,
works great, sent me a e-mail, including the ip I logged in with.

Quote:
I'm sure some security graybeard will come along and tell me why this is all silly and not adding to my security and that's fine, too :-)
As far as security goes, it does nothing to improve security, if your security is good, you do not need to worry about any one besides you, or who ever is authorized logging in.
By the time you check your e-mail, who ever logged in would have done what they want to do and logged out again.
But any way, you would have a e-mail letting you know they logged in,... and you would then also know you had a security problem, it would be better just to make sure it is secure, and nobody else besides you can gain ssh access and login
__________________
My best friends are parrots

Last edited by PapaParrot; 1st July 2018 at 03:08 AM.
Reply With Quote
  #7   (View Single Post)  
Old 1st July 2018
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Quote:
Originally Posted by frcc View Post
He can use the "log" syntax in Pf which will create a log for any
blocked/dropped/passed packet he chooses. Packet filtering would pre-emt
any SSH login attempt based on his filter rules.

Also, the "table" syntax can be used to quickly determine sources to
be accepted or rejected in route to an SSH port.
But IP address can:
1. change
2. be spoofed

IMHO granting access just by having IP address isn't enough. SSH uses cryptography to authenticate users.
PF is good for blocking port scanning, DoS or small DDoS attacks, though.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #8   (View Single Post)  
Old 1st July 2018
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

e1-531g
I agree SSH IS the place for authentication if the traffic can get there.
Yes IP, and users CAN be spoofed.

As yet, we are not clear on the posters intention.
Does he want to obtain info on SSH logins/attempts because he monitors firewall activity?
Does he want to monitor/limit/be notified of SSH traffic from LAN/NET?
Does he want to limit himself as the only SSH user excluding others from inside or outside LAN/NET?
Does he simply want an email for any/all SSH logins?

I don't know.

GaryR ---- nice thinking ( I learn here)

Anyway, one could simply open a terminal window, initiate Tcpdump showing live traffic on port 22 or any other or all.

my 2 bits

Last edited by frcc; 1st July 2018 at 12:37 PM. Reason: add and clarify
Reply With Quote
  #9   (View Single Post)  
Old 1st July 2018
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Quote:
Originally Posted by GarryR View Post
As far as security goes, it does nothing to improve security, if your security is good, you do not need to worry about any one besides you, or who ever is authorized logging in.
By the time you check your e-mail, who ever logged in would have done what they want to do and logged out again.
But any way, you would have a e-mail letting you know they logged in,... and you would then also know you had a security problem, it would be better just to make sure it is secure, and nobody else besides you can gain ssh access and login
I don't think so. It's best to not be hacked, but nevertheless it is good to know somebody hacked your OS. Usually you can't prevent against all consequences of being pwned, but you can:
1. See how it was done
2. Reinstall or reimage OS to state before pwning taken place and harden OS/infrastructure against being pwned again using info gathered in previous action
3. Inform your customers, change their passwords or keys. General data protection regulation (for those who run a business in EU or process data of EU customers) actually requires to inform your customers.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase

Last edited by e1-531g; 1st July 2018 at 01:23 PM.
Reply With Quote
Old 1st July 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by e1-531g View Post
2. be spoofed
Quote:
Originally Posted by frcc View Post
Yes IP...
For UDP, yes. But for TCP, not quite. Packets might be injected by an attacker, but the attacker obtaining the response isn't possible without the attacker also being in control of a device along the response route path of the spoofed address.
Reply With Quote
Old 1st July 2018
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Quote:
Originally Posted by jggimi View Post
For UDP, yes. But for TCP, not quite. Packets might be injected by an attacker, but the attacker obtaining the response isn't possible without the attacker also being in control of a device along the response route path of the spoofed address.
Also hijacking IP address/subnet at BGP level is going to work.
Maybe some MitM attacks when adversary and victim are on the same LAN network and LAN network is not well protected or at least monitored.
Anyway IP addresses provided by ISPs usually are changing from time to time, so in this case OP would need to allow not one, particular IP address but some subnet containing a lot of IP addresses.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Old 1st July 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
...at BGP level...
That would then be "in control of a device along the response route path."
Reply With Quote
Old 1st July 2018
raindog308 raindog308 is offline
Fdisk Soldier
 
Join Date: Sep 2011
Posts: 67
Default

Quote:
Originally Posted by GarryR View Post
As far as security goes, it does nothing to improve security, if your security is good, you do not need to worry about any one besides you, or who ever is authorized logging in.
By the time you check your e-mail, who ever logged in would have done what they want to do and logged out again.
But any way, you would have a e-mail letting you know they logged in,... and you would then also know you had a security problem, it would be better just to make sure it is secure, and nobody else besides you can gain ssh access and login
Whether it improves security or not is a bit theoretical. It's more intrusion detection. If someone logs in, I get an email - I'd rather get an email and know I was hacked than never know.

Of course, there are other attack scenarios - nothing is a global silver bullet.

The specifics since I wasn't very clear:

- if you ssh to my home, you land on an OpenBSD ssh server. I do change the port my router forwards just to slow down how much garbage is logged from skiddies, though of course changing the port doesn't improve security per se.
- that server already has pf rules that only permit logins from certain systems on the Internet
- it only allows ssh keys, not passwords
- all other normal security measures: services turned off, good passwords, etc.

Adding email notification is a bit of icing.
Reply With Quote
Old 1st July 2018
PapaParrot's Avatar
PapaParrot PapaParrot is offline
parrot
 
Join Date: Jul 2015
Location: Durango, Mx.
Posts: 472
Default

Ok, I understand, Does the script I showed do what you want ?

Or do you need something more, that shows anyone the logs in, not just as "you", but other users or services ?
In your first post you said it was just you ,
Quote:
Only ssh is permitted and I am the only person who would login. In Linux, I used this technique so that an email was sent every time someone logged in:

I have been doing some searches, and there is a lot of information, but what is not clear, exactly what you want the e-mail that gets sent to contain.
For example, if you want to get a e-mail notice , if and when someone logs in as root,
you can do that, but it opens a can of worms since there are services that the system uses, and they log in as root, you end up getting a huge amount of e-mails,....
I am not any expert at all, but if some expert wanted to help you configure the system to send e-mail notices, that can be done, however they would need a more clear description as to what the notices should contain.

Here are some links that might help you:
https://ftp.openbsd.org/pub/OpenBSD/...rtable/INSTALL
===========
https://en.wikipedia.org/wiki/BSD_Authentication
Quote:
BSD Authentication, otherwise known as BSD Auth, is an authentication framework and software API employed by OpenBSD and accompanying software such as OpenSSH. It originated with BSD/OS, and although the specification and implementation were donated to the FreeBSD project by BSDi, OpenBSD chose to adopt the framework in release 2.9. Pluggable Authentication Modules (PAM) serves a similar purpose on other operating systems such as Linux, FreeBSD and NetBSD.
======================
https://man.openbsd.org/authenticate.3
========================
https://man.openbsd.org/login_radius.8
==============
There is a lot more, use the keywords:
Code:
BSD auth for OpenBsd
In a search engine, you should get quite a few results.
__________________
My best friends are parrots
Reply With Quote
Old 2nd July 2018
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

Nice work/research GaryR
I like learning, and experiencing different ways of skinning the cat.
Hope the word "cat" didn't frighten the parrots!

Last edited by frcc; 2nd July 2018 at 10:11 AM. Reason: add to
Reply With Quote
Old 2nd July 2018
PapaParrot's Avatar
PapaParrot PapaParrot is offline
parrot
 
Join Date: Jul 2015
Location: Durango, Mx.
Posts: 472
Default

I have been looking at this, https://serverfault.com/questions/32...messages-to-me

But there is some things I am not understanding:
Quote:
Notifications via syslogd(8)

On my OpenBSD server, I log and email important messages from my web applications, which use facility local1. Here is my /etc/syslog.conf to make it happen:
Code:
local1.err    /var/log/example.com
local1.err    |while read log; do echo "$log" | /usr/bin/mail -s SYSLOG me@example.com; done
I am not sure what the facility is, does that need to be created, or for example, using localhost, would it be "local0.err" ? The other thing :/var/log/example.com
What should "example.com" be, is that a file I create, using my host name as the file name ?
If it was me, I would want it to only send me the "authlog", and nothing else.
The "authlog" shows when ever anyone/anything succeeds logging in, so it seems like that would be a good one to receive by e-mail, to see when someone logged in.
How ever based on the example in the above link, it does not work for me.
__________________
My best friends are parrots

Last edited by PapaParrot; 2nd July 2018 at 03:08 PM.
Reply With Quote
Old 2nd July 2018
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Quote:
Originally Posted by GarryR View Post
I am not sure what the facility is, does that need to be created, or for example, using localhost, would it be "local0.err" ?
Fortunately, you don't have to create the facility.

The facilities, such as local1, are pre-defined within the syslog system. A good place to start reading about them is the configuration file man page syslog.conf(5).

So, programs (often daemons) will use syslog to log various messages they have, and use the existing facilities to log to, at various logging levels which are used to distinguish the importance of the message. If the program is well-documented the man page (or other material) should explain what facility it uses and what kind of things it sends at a given level. Not all programs may do this clearly (they may after all not be part of the OS), in which case as user you have to do more detective work to find what you want.
Reply With Quote
Old 3rd July 2018
PapaParrot's Avatar
PapaParrot PapaParrot is offline
parrot
 
Join Date: Jul 2015
Location: Durango, Mx.
Posts: 472
Default

Ok, thanks, I had looked at syslog.conf(5), but missed where it says about facilities but now I see it.
__________________
My best friends are parrots
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Best moment to send a port update albator OpenBSD Packages and Ports 26 9th May 2015 03:31 PM
Send Syslogd To External Host plexter OpenBSD General 2 18th July 2011 08:11 PM
send mails with postfix wesley OpenBSD Packages and Ports 1 18th August 2010 07:34 PM
send files to email milo974 OpenBSD General 7 1st September 2008 02:03 PM
Send email to all local users cajunman4life FreeBSD General 8 15th June 2008 10:52 AM


All times are GMT. The time now is 11:07 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick