ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6e53d1bdecd56f3b27ebe062b77c53e99d933cbd
ServerUserCreate/bin/check_last_login.sh
Clemens Schwaighofer 6e53d1bdec Update collector script with debug output, list rejected ssh users 
In the check script print out current rejected (not allowed) ssh users

Collect log info script has now debug output and proper options flags
2022-11-22 09:33:52 +09:00

128 lines
4.7 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Checks for last access of users in sshallow group
# if user login >30days, remoe user from sshallow group and write log
# base folder
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
# which group holds the ssh allowed login users (outside of admin users)
ssh_group='sshallow';
ssh_reject_group='sshreject';
# date now for compare
now=$(date +"%s");
# max age for last login or account create without login
max_age_login=60;
max_age_create=30;
# one day in seconds
day=86400;
# delete account strings
delete_accounts="";
user_group_tpl="deluser %s %s;adduser %s %s;";
# log base folder
LOG="${BASE_FOLDER}/../log";
# auth log file user;date from collect_login_data script
AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
if [ $(whoami) != "root" ]; then
echo "Script must be run as root user";
exit;
fi;
if [ ! -d "${LOG}" ]; then
echo "log folder ${LOG} not found";
exit;
fi;
LOG="${LOG}/check_ssh_user."$(date +"%F_%H%m%S")".log";
exec &> >(tee -a "${LOG}");
echo "[START] =============>";
echo "Hostname : "$(hostname);
echo "Run date : "$(date +"%F %T");
echo "Max age last login: ${max_age_login} days";
echo "Max age no login : ${max_age_create} days";
for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
# for user in clemens test42; do
account_age=0;
delete_user=0;
out_string="";
#echo "* Checking user ${user}";
# check user create time, if we have set it in comment
user_create_date=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 5);
# if empty try last password set time
if [ -z "${user_create_date}" ]; then
# user L 11/09/2020 0 99999 7 -1
user_create_date=$(passwd -S ${user} | cut -d " " -f 3);
fi;
# last try is user home .bash_logout
if [ -z "${user_create_date}" ]; then
home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout";
user_create_date=$(stat -c %Z "${home_dir}");
fi;
# below only works if the user logged in, a lot of them are just file upload
# users. Use the collect script from systemd-logind or /var/log/secure
# Username Port From Latest
# user pts/35 10.110.160.230 Wed Nov 2 09:40:35 +0900 2022
last_login_string=$(lastlog -u ${user} | sed 1d);
search="Never logged in";
found="";
# problem with running rep check in if
if [ -f "${AUTH_LOG}" ]; then
found=$(grep "${user};" "${AUTH_LOG}");
fi;
if [ ! -z "${found}" ]; then
last_login_date=$(grep "${user};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
if [ ${last_login} -gt ${max_age_login} ]; then
out_string="[!] last ssh log in ${last_login} days ago";
delete_user=1;
else
out_string="OK [ssh]";
fi;
elif [ ! -z "${last_login_string##*$search*}" ]; then
# if we have "** Never logged in**" the user never logged in
# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
# awk '{for(i=4;i<=NF;++i)printf $i FS}'
last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -);
# date -d "Wed Nov 2 09:40:35 +0900 2022" +%s
last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
if [ ${last_login} -gt ${max_age_login} ]; then
out_string="[!] last terminal log in ${last_login} days ago";
delete_user=1;
else
out_string="OK [lastlog]";
fi;
elif [ ! -z "${user_create_date}" ]; then
user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
# if all empty, we continue with only check if user has last login date
# else get days since creation
#account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ];
account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
if [ ${account_age} -gt ${max_age_create} ]; then
out_string="[!] Never logged in, account created ${account_age} days ago";
delete_user=1;
else
out_string="OK [first login]";
fi;
else
out_string="[!!!] Never logged in and we have no create date";
fi;
# build delete output
if [ ${delete_user} = 1 ]; then
delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${user}" "${ssh_group}" "${user}" "${ssh_reject_group}")$'\n';
fi;
printf "* Checking user %-20s: %s\n" "${user}" "${out_string}";
done;
echo "--------------------->"
echo "Showing current SSH Reject users:"
for user in $(cat /etc/group|grep "${ssh_reject_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
echo "${user}";
done;
if [ ! -z "${delete_accounts}" ]; then
echo "--------------------->"
echo "% Run list below to move users to reject ssh group";
echo "";
echo "${delete_accounts}";
fi;
echo "[END] ===============>"
# __END__
Reference in New Issue View Git Blame Copy Permalink