Run script on failed login attempt

[kkaldroma]

I have a simple bash script that takes a picture of the user with my webcam, I want it to run when a login attempt fails.

I understand messing with the login is a terrible security risk...
But I want know, is it possible.

[bruno9779]

Interesting question. I am watching the thread.

I have also another approach. Maybe it is easier to just take a pick of whoever tries to log in.
putting your script before the login attempt, would almost surely prove easier than running it after a failed attempt

[Ryan Dwyer]

You could set up a script to run on boot which checks /var/log/auth.log every 5 seconds or so.

[kkaldroma]

script to run on boot which checks /var/log/auth.log every 5 seconds

I was thinking of something like the log checker but I figured since there is already an event [failed login] I could try and tap into that.

Maybe it is easier to just take a pick of whoever tries to log in

This would work for an initial login attempt but I also want it to take a picture of failed logins after I lock my screen.

Thank you for the feed back and the quick responses.

[kkaldroma]

I took everyones suggestions and threw this script together.
I needed to install 'gstreamer' and to change auth.log permissions to 666 for it to work.

To prevent the script from just looping until more logs are dumped into 'auth.log' I have the echo \n\n\n... line.
I hate it, if anyone has a better idea please let me know.

Also, as you can see caps 1 and 2 are just deleted. This is because my camera needs a second or two to kick on (i guess) and the first two pics are either black or garbled.

Code:

! /bin/bash

cd /home/USER/Pictures/Webcam/
LOG="/var/log/auth.log"

while true
do
TIMESTAMP=$(date +%R.%S-%B-%d)
TRIGGER=$(tail $LOG | grep "fail" | wc -l)
if [ $TRIGGER -gt 0 ]
then
        streamer -t 10 -r 1 -s 640x480 -o cap00.jpeg > /dev/null

        cp cap03.jpeg $TIMESTAMP\ 1.jpg
        cp cap04.jpeg $TIMESTAMP\ 2.jpg
        cp cap05.jpeg $TIMESTAMP\ 3.jpg
        cp cap06.jpeg $TIMESTAMP\ 4.jpg
        cp cap07.jpeg $TIMESTAMP\ 5.jpg
        rm cap*
        echo -e "\n\n\n\n\n\n\n\n\n\n" >> /var/log/auth.log

fi
done

If anyone has any better ideas, or knows how to incorporate it into my original question [Run script on failed log attempt] ((I.E without a constantly running while loop))
Please post.

[bruno9779]

I have another idea.

/var/log/auth could be watched with inotify for changes.

You would need a startup script at boot, for inotify
This would then call on your webcam script every time the log get modified

If you use the 2 scripts approach, the first one would be good for anyone wanting to run a script at failed logon.

EDIT: this probably helps, but I am no good at C...

http://ik.homelinux.org/index.rhtml/projects/c/inotify

[bruno9779]

I have also found this:

http://pwet.fr/man/linux/administration_systeme/famd

but it also involves system calls.


This is another approach yet using stat:

http://nixcraft.com/shell-scripting/...te-script.html

[kkaldroma]

Update:
I did run into a few strange problems after incorporating this script. My virtual box 'ose... something or other' would fail to start and some other emulation devices would freeze at odd intervals. To fix this I added a "sleep 1" after the while true ; do"
This drastically dropped the PC usage %'s and solved the Vbox and other issues while still doing it's job.

Since no one has touched this thread in about 2 weeks I will just figure this solution is the best solution ( does anyone else smell a challenge? ).

[kkaldroma]

I guess this is the best we can do.




[Solved]

[BkkBonanza]

The only way to do this properly is to hook it into PAM.
PAM already processes the failed login attempt by reporting it in the log.

I looked into this a bit and found an elegant way to do it.

Edit the /etc/pam.d/common-auth file and insert this line immediately before the line with pam_deny.so module,

auth [default=ignore] pam_exec.so seteuid /usr/bin/grab

Now edit the two lines above (pam_unix and pam_winbind) and change the success=2 to success=3 and likewise success=1 to success=2. This has it skip an extra line when auth is successful. So it skips our script.

That's it. Make a script /usr/bin/grab to do what you want when login fails.

I used ffmpeg since I had that already and this is mine,

Code:

#!/bin/bash
ts=`date +%s`
ffmpeg -f video4linux2 -s vga -i /dev/video0 -vframes 3 /tmp/vid-$ts.%01d.jpg
exit 0

Note it must return 0. Of course, you can have it do whatever.
It would be good to save a short video actually.