Linux

Here I show you how to setup a MOTD to show some text upon any type of login. With the extra benefit of showing system information upon ssh connections (and loggin ssh connections). The later part with ssh (running the script that shows system info and logs the connection) requires it to be an ssh connection, because motd cant run script, so thats a fallback, if connecting via telnet you will not get the system info. But ubuntu has another way about it (read the note below)

NOTE: this might work with Ubuntu but I havent tested. I know ubuntu has a more advanced MOTD system that can be dynamic and run scripts. http://www.howtogeek.com/104708/how-to-customize-ubuntus-message-of-the-day/ Im sure there is a way to install the same updated motd package on debian if you tried.

Upon login Debian loads up the /etc/motd ascii text and shows it on the screen.

Then it will launch /etc/ssh/sshrc (unless a condition says otherwise, however most likely it will load this. here is a link that can help see what scripts launch on server and client side upon connections: http://askubuntu.com/questions/382485/ssh-how-to-force-execution-of-a-script-etc-sshrc-forcecommand-on)

/etc/motd should start off with a blank-newline, followed by your MOTD and then end with another blank line

Here is my MOTD:

cat /etc/motd

<put empty line here>
################################################
Welcome to the infotinks debian machine
Get the hell out of here if your not infotinks
Or you will be sued!
################################################
<put empty line here>

NOTE: above replace <put empty line here> with a simply empty line (a new line). It just looks better if that message is surrounded by empty lines. Trust me.

Here is my start up script which logs connections to /var/log/sshconn.log. The script is /etc/ssh/sshrc (it is run upon an ssh connection):

##########################
#### SSHCONN ANALYSIS ####
##########################

# each machine should have a global variable thats filled out by each ssh connection called SSH_CLIENT

CLIENTIP=`echo $SSH_CLIENT | awk '{print $1}'`
CLIENTSRCPORT=`echo $SSH_CLIENT | awk '{print $2}'`
CLIENTDSTPORT=`echo $SSH_CLIENT | awk '{print $3}'`

echo "[`date`|`date +%s`s] Login by $USER from $CLIENTIP:$CLIENTSRCPORT-->localhost:$CLIENTDSTPORT" >> /var/log/sshconn.log
host $CLIENTIP | grep . | awk '{print "      " $0}' >> /var/log/sshconn.log

###############################################
#### OUTPUT ON SHELL BEFORE PROMPT APPEARS ####
###############################################

echo "### System info: ###"
top -cbn1 | head -n5
echo
echo "### Disk Usage: ###"
# df -h | egrep "by-uuid|/DATA|Used"
df -h
echo
echo "-----Session start----"

UPDATED (2015-03-08): Added script below. Here I added an sshconn analysis output file. It just lists all of the connected IPs to date. So that way if something new logs in, you can easily spot it.

##########################
#### SSHCONN ANALYSIS ####
##########################

# each machine should have a global variable thats filled out by each ssh connection called SSH_CLIENT

CLIENTIP=`echo $SSH_CLIENT | awk '{print $1}'`
CLIENTSRCPORT=`echo $SSH_CLIENT | awk '{print $2}'`
CLIENTDSTPORT=`echo $SSH_CLIENT | awk '{print $3}'`

echo "[`date`|`date +%s`s] Login by $USER from $CLIENTIP:$CLIENTSRCPORT-->localhost:$CLIENTDSTPORT" >> /var/log/sshconn.log
host $CLIENTIP | grep . | awk '{print "      " $0}' >> /var/log/sshconn.log

##########################
#### SSHCONN ANALYSIS ####
##########################

# that grep extracts the IPs (its pretty nifty), I believe I have an article for it, just search GREP IPs or just copy it from below.

echo "==== `date` ==== (`date +%s`s)" >> /var/log/sshconn_analysis.log
cat /var/log/sshconn.log | grep '>localhost' | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort | uniq -c >> /var/log/sshconn_analysis.log

###############################################
#### OUTPUT ON SHELL BEFORE PROMPT APPEARS ####
###############################################

echo "### System info: ###"
top -cbn1 | head -n5
echo
echo "### Disk Usage: ###"
# df -h | egrep "by-uuid|/DATA|Used"
df -h
echo
echo "-----Session start----"

 

NOTE: Right now df -h will just show you all of the disk usage, but some you might not want to see. modify the last df -h line to only select the items that you need. I grep out by-uuid and /DATA and used to get the output that I need. I select by-uuid because my root volume has that appear on the line in df output. /DATA shows up on my main big data volume. Used is the header line we want to select it.

EXAMPLE OUTPUT WHEN I LOGIN

# ssh  whoknows.infotinks.com
root@whoknows.infotinks.com's password:
Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.60-1+deb7u1 i686

################################################
Welcome to the infotinks debian machine
Get the hell out of here if your not infotinks
Or you will be sued!
################################################

Last login: Thu Jul 31 08:01:16 2014 from whoknows.infotinks.com

### System info: ###
top - 09:03:07 up 2 days, 19:53, 1 user, load average: 1.04, 1.06, 1.05
Tasks: 124 total, 1 running, 123 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.0 us, 0.1 sy, 0.0 ni, 96.2 id, 3.5 wa, 0.0 hi, 0.1 si, 0.0 st
KiB Mem: 514392 total, 508000 used, 6392 free, 48812 buffers
KiB Swap: 1290296 total, 8 used, 1290288 free, 333780 cached

### Disk Usage: ###
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/debian-root 9.2G 7.4G 1.4G 85% /
/dev/sda1 228M 82M 135M 38% /boot
/dev/mapper/vo-both 2.5G 72M 2.3G 3% /mnt/both
/dev/sdb1 4.6G 2.4G 2.1G 54% /mnt/lfs
//10.11.12.13/000DOWNLOADS 3.7T 3.6T 108G 98% /mnt/rdownsimba
root@www.ngl3.com:/ 97G 23G 69G 25% /mnt/debikos

-----Session start----
debian:~#
debian:~#
debian:~#
debian:~# cat /etc/motd

################################################
Welcome to the infotinks debian machine
Get the hell out of here if your not infotinks
Or you will be sued!
################################################

debian:~#

Then you can see the sshconn.log which shows information about who connected and from where

How to read SSHCONN.log

cat /var/log/sshconn.log

That will show you the time of connection and what IP connected along with port information.  Its interesting to reverse DNS the IP, so I do that with the host command. That might have several lines of output, so I include it in sshconn.log (but remove any new lines with grep . and also indent the output with the awk command)

Consequences of sshrc

If your sshrc sends output to the screen then you will get protocol mismatch error when using rsync over ssh to save files on this server. To avoid that make sure sshrc doesnt output anything on the screen (like with echo, df, top, commands and the like). Saving to any file is fine (so when we save to /var/log/sshconn.log thats okay), again just not to the screen (stdout… stderr might be okay).

NOTE: sshrc isnt the only file that can cause these errors. other scripts that run upon a new ssh connection startup like .bashrc, .profile should be considered. However scripts like /etc/motd and other such login banners are okay as they are not run when rsync over ssh is run. You can test if you will get the error with rsh (see link below) and it will hint at what files could be causing the output that you dont want.

Here is how the error looks like.

# rsync -e "ssh" file root@someserver.com:file
Warning: Permanently added '[root@someserver.com]:22,[24.155.888.155]:2022' (ECDSA) to the list of known hosts.
protocol version mismatch -- is your shell clean?
(see the rsync man page for an explanation)

More info here http://www.infotinks.com/rsyncprotocolmismatch/

Avoid those error by having sshrc not send anything to the screen (and any other scripts that run when ssh starts, .bashrc, .profile etc). Notice below I commented everything that outputs to the screne.

##########################
#### SSHCONN ANALYSIS ####
##########################

# each machine should have a global variable thats filled out by each ssh connection called SSH_CLIENT

CLIENTIP=`echo $SSH_CLIENT | awk '{print $1}'`
CLIENTSRCPORT=`echo $SSH_CLIENT | awk '{print $2}'`
CLIENTDSTPORT=`echo $SSH_CLIENT | awk '{print $3}'`

echo "[`date`|`date +%s`s] Login by $USER from $CLIENTIP:$CLIENTSRCPORT-->localhost:$CLIENTDSTPORT" >> /var/log/sshconn.log
host $CLIENTIP | grep . | awk '{print "      " $0}' >> /var/log/sshconn.log

##########################
#### SSHCONN ANALYSIS ####
##########################

# that grep extracts the IPs (its pretty nifty), I believe I have an article for it, just search GREP IPs or just copy it from below.

echo "==== `date` ==== (`date +%s`s)" >> /var/log/sshconn_analysis.log
cat /var/log/sshconn.log | grep '>localhost' | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort | uniq -c >> /var/log/sshconn_analysis.log

###############################################
#### OUTPUT ON SHELL BEFORE PROMPT APPEARS ####
###############################################

## commented it all out so that we dont get "rsync over ssh's" protocol mistmatch erro.

## echo "### System info: ###"
## top -cbn1 | head -n5
## echo
## echo "### Disk Usage: ###"
## # df -h | egrep "by-uuid|/DATA|Used"
## df -h
## echo
## echo "-----Session start----"

UPDATED (2016-04-18): Adding section to script to process the IPs with a reverse lookup using the host command. Replace “host” in iHOST line with another reverse IP look up command (hopefully its output is short – host’s output is kind of long but it does the job. “host” can resolve forwards hostname->IP, and reverse IP->hostname which is what I’m using it for here). Since my command to process the IPs, the IPs count, and the resolved hostname goes thru something more intricate then /bin/sh (busybox shell). I call upon the powers of bash to run my command. So how do I ran a portion of the script in /bin/bash while the rest runs by the default shell /bin/sh? with a HEREDOC. I save the script that I will run to a HEREDOC (I have to escape all of the $ and backticks so that they don’t substitute in random none-existant variables and commands). Then I surround the HEREDOC with double-quotes (so that the VAR can expand) and run it bash -c. Note that if your /bin/sh is bash (/bin/bash) then you dont need to do a HEREDOC (although it doesnt hurt if you do). Note this command doesnt print anything to the screen so that we dont get a dirty shell (things like rsync over ssh fail with dirty shells).

# WHAT THIS DOES: sshrc - ip log to /var/log/sshconn.log, analysis by ip count and hostname to /var/log/sshconn_analysis.log
# this does not output anything to stdout or stderr because we want a clean shell. any output to stdout (not sure if stderr counts) will break rsync over ssh to this server (with not-clean shell error)

##########################
#### SSHCONN ANALYSIS ####
##########################

# each machine should have a global variable thats filled out by each ssh connection called SSH_CLIENT

CLIENTIP=`echo $SSH_CLIENT | awk '{print $1}'`
CLIENTSRCPORT=`echo $SSH_CLIENT | awk '{print $2}'`
CLIENTDSTPORT=`echo $SSH_CLIENT | awk '{print $3}'`

echo "[`date`|`date +%s`s] Login by $USER from $CLIENTIP:$CLIENTSRCPORT-->localhost:$CLIENTDSTPORT" >> /var/log/sshconn.log
host $CLIENTIP | grep . | awk '{print "      " $0}' >> /var/log/sshconn.log

##########################
#### SSHCONN ANALYSIS ####
##########################

# This grep:
# grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"
# extracts the IPs (its pretty nifty), I believe I have an article for it, just search GREP IPs or just copy it from below.

echo "==== `date` ==== (`date +%s`s)" >> /var/log/sshconn_analysis.log
## previously just saved count and ip to sshconn_analysis
## cat /var/log/sshconn.log | grep '>localhost' | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort | uniq -c >> /var/log/sshconn_analysis.log
## now lets also resolve the IP and put that in
(
VAR=$(cat << EOF
IFS=\$'\n'
for i in \`cat /var/log/sshconn.log | grep '>localhost' | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort | uniq -c\`; do
  iCOUNT=\`echo \$i | awk '{print \$1}'\`;
  iIP=\`echo \$i | awk '{print \$2}'\`;
  iHOST=\`host \$iIP\`;
  echo "- \$iCOUNT x \$iIP : \$iHOST" >> /var/log/sshconn_analysis.log;
done
EOF
)
# run the here doc VAR
/bin/bash -c "$VAR"
)

###############################################
#### OUTPUT ON SHELL BEFORE PROMPT APPEARS ####
###############################################

# everything commented with ###--### was so that we had a "clean shell" and rsync over ssh could target this server

###--### echo "### Disk Usage: ###"
###--### df -h 
###--### echo
###--### echo "### Top Info: ###"
###--### top -cbn1 | head -n14 | grep .
###--### echo
###--### echo "### Quick Info: ###"
###--### echo "* uname: `uname -a`"
###--### echo "* uptime/uptime: `cat /proc/uptime` - `uptime`"
###--### echo "* memory:    total       used       free     shared    buffers     cached"
###--### free -tm | tail -n +2
###--### echo
###--### echo "-----Session start----"

The end.

Leave a Reply

Your email address will not be published. Required fields are marked *