-
Notifications
You must be signed in to change notification settings - Fork 2
/
login_logger.c
113 lines (88 loc) · 2.84 KB
/
login_logger.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
/*
Here is an example pam configuration:
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth optional pam_exec.so expose_authtok /usr/local/bin/login_logger /var/log/failed_logins
auth requisite pam_deny.so
auth required pam_permit.so
The logfile entry has the format key\0value\0key\0value\0, and each entry ends whith a newline character instant of a key
watch new login attemps as they come in:
tail -f /var/log/failed_logins | tr '\0\1' '\t '
get the most often used passwords:
grep -aoP 'password\0[^\0]*' /var/honeypot/loginfails | grep -oaP '[^\0]*$' | tr '\0\1' '\t ' | sort | uniq -c | sort -rh | head
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stddef.h>
#include <stdbool.h>
#include <unistd.h>
#include <sys/time.h>
#define IFT( X, T, Y, Z ) _Generic( (X), T: Y, default: Z )
#define FMT_OF( P, X ) \
IFT( (X), signed char , P "hhd", \
IFT( (X), unsigned char , P "hhu", \
IFT( (X), signed short , P "hd" , \
IFT( (X), unsigned short , P "hu" , \
IFT( (X), signed int , P "d" , \
IFT( (X), unsigned int , P "u" , \
IFT( (X), signed long , P "ld" , \
IFT( (X), unsigned long , P "lu" , \
IFT( (X), signed long long , P "lld", \
IFT( (X), unsigned long long, P "llu", \
IFT( (X), size_t , P "zu" , \
IFT( (X), char* , P "s" , \
IFT( (X), void* , P "p" , "???" \
)))))))))))))
#define FPRINT( F, X ) fprintf( F, FMT_OF("%",(X)), (X) )
#define FPRINTP( F, X, P ) fprintf( F, FMT_OF("%0" #P,(X)), (X) )
bool fpse( const char*restrict s, FILE*restrict f ){
if(!f)
return false;
if(s){
fwrite( s, 1, strlen(s)+1, f );
}else{
fputc( 0, f );
}
return !ferror( f );
}
bool fpe( const char*restrict a, const char*restrict b, FILE*restrict f ){
if( !a || !b || *a == '\n' )
return false;
return fpse( a, f ) && fpse( b, f );
}
int main( int argc, char* argv[] ){
if( argc != 2 )
return 1;
char host[256] = {0};
FILE* out = fopen(argv[1],"a");
FILE* in = stdin;
if( !out )
return 2;
if( !in )
return 3;
gethostname( host, sizeof(host) );
struct timeval time;
gettimeofday( &time, 0 );
fpse( "date", out );
FPRINT( out, time.tv_sec );
fputc( '.', out );
FPRINTP( out, time.tv_usec, 6 );
fputc( 0, out );
fpe( "host" , host , out );
fpe( "user" , getenv("PAM_USER") , out );
fpe( "ruser" , getenv("PAM_RUSER") , out );
fpe( "rhost" , getenv("PAM_RHOST") , out );
fpe( "service" , getenv("PAM_SERVICE"), out );
fpe( "tty" , getenv("PAM_TTY") , out );
fpse( "password", out );
{
int c;
while( ( c = fgetc(in) ) != EOF && c )
fputc( c, out );
}
fputc( 0, out );
fputc( '\n', out );
fclose( in );
fclose( out );
return 0;
}