Skip to content

thereisnotime/xxWatchTower

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
README.md
README.md
 
 
xxWatchTower.sh
xxWatchTower.sh
 
 

Repository files navigation

xxWatchTower

Description

Linux SSH and TTY monitoring & alerting tool. It sends email each time somebody uses SSH or TTY connection. Uses Pluggable Authentication Modules (PAM) rules to detect common-session and sudo events, after that sends all the information (user IP, date, process, type of connection etc.) via sendemail to a specified email address.

Installation

  • WARNING: The current public version of the script installs the PAM rules in /etc/pam.d/common-session and /etc/pam.d/sudo. It should not create any problems, but if it does - please open an issue here.

Easy oneliner for installation with wget:

wget https://raw.githubusercontent.com/thereisnotime/xxWatchTower/master/xxWatchTower.sh -O /tmp/xxWatchTower.sh && chmod +x /tmp/xxWatchTower.sh && /tmp/xxWatchTower.sh && rm /tmp/xxWatchTower.sh

Easy oneliner for installation with curl:

bash <(curl -s https://raw.githubusercontent.com/thereisnotime/xxWatchTower/master/xxWatchTower.sh)

Dependencies

Currently the script depends only on the package manager (apt) and few internals, which get installed with the script:

sendemail

Compatability

The should work on most Linus distributions and has been tested on the following:

Debian 7 x64
Debian 7 x86
Debian 8 x64
Debian 8 x86
Debian 9 x64

Automation

The script can be configured manually or by passing exactly 6 arguments to it:

./xxWatchTower.sh SCRIPTFILENAME EMAILFROM EMAILTO SMTPSERVER SMTPUSERNAME SMTPPASSWORD

Or download + install + configure oneliner:

wget https://raw.githubusercontent.com/thereisnotime/xxWatchTower/master/xxWatchTower.sh -O /tmp/xxWatchTower.sh && chmod +x /tmp/xxWatchTower.sh && /tmp/xxWatchTower.sh SCRIPTFILENAME EMAILFROM EMAILTO SMTPSERVER SMTPUSERNAME SMTPPASSWORD && rm /tmp/xxWatchTower.sh

SCRIPTFILENAME - the full location where you want the script to be installed. EMAILFROM - best to use the SMTPUSERNAME one to avoid spam filtering. EMAILTO - the email which will receive the notifications. SMTPSERVER - for sending the notifications. SMTPUSERNAME - for authorization. SMTPPASSWORD - for authorization.

  • Note: Do not forget to use the right quotes if your input has special symbols.

Uninstall

To remove xxWatchTower use the following commands:

tmp=$(cat "/etc/pam.d/sudo")
tmp2=$(echo $tmp | grep -o -P '(?<=pam_exec.so ).*(?=#ENDXXWATCHTOWER)')
SCRIPTFILENAME=$tmp2
declare -a FILEARRAY=("/etc/pam.d/common-session" "/etc/pam.d/sudo")
for CURRENTFILE in "${FILEARRAY[@]}"
do
    if grep -q "#XXWATCHTOWER" "$CURRENTFILE"; then
        echo "Rule detected in: $CURRENTFILE"
        sed -i '/#XXWATCHTOWER/,/#ENDXXWATCHTOWER/g' "$CURRENTFILE"
        sed -i -e :a -e '/^\n*$/{$d;N;};/\n$/ba' "$CURRENTFILE"
        echo "Removed rule from $CURRENTFILE."
    fi
done
if [ -f "$SCRIPTFILENAME" ] ; then
    echo "Deleting script at: $SCRIPTFILENAME"
    rm "$SCRIPTFILENAME"
fi
echo "Done."

About

Linux SSH and TTY login monitoring & alerting tool.

Topics

linux security monitoring debian linux-shell bash-script security-automation security-tools

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages