# Can I add 'successful logins' to my Security Run output?



## ghostcorps (Sep 21, 2011)

Hi Guys

 I have the output of the cron Security Run being emailed to me and it is showing alot of failed ssh attempts, this is all well and good and denyhosts takes care of most of that concern but I need to know if any of these ever actually gets through. Since I am the only person who logs into it, it would be pretty easy to tell if some one else has managed to login.

 Is it possible to have the output of the Security run include successful attempts?

 I have looked at /etc/periodic.conf but there are no switches that seem to correspond to what I am looking for.

Thanks for your time, sorry if this is in the wrong forum, but I figure firewalls are the closest thing to a security forum here.



D


----------



## Dies_Irae (Sep 21, 2011)

You can create a script in /etc/periodic/daily that lists successful logins on ssh:

```
egrep 'sshd\[[0-9]+\]: Accepted' /var/log/auth.log
```


----------



## ghostcorps (Sep 21, 2011)

Dies_Irae said:
			
		

> You can create a script in /etc/periodic/daily that lists successful logins on ssh:
> 
> ```
> egrep 'sshd\[[0-9]+\]: Accepted' /var/log/auth.log
> ```



Elegant 

Thanks!


----------



## molofishy (Oct 10, 2016)

What is the difference between the command Dies_Irae suggested, and `last`? I noticed that not all entires returned by `egrep 'sshd\[[0-9]+\]: Accepted' /var/log/auth.log` are seen when using `last`, but I cannot work out what is systematically being filtered out.


----------



## Juha Nurmela (Oct 11, 2016)

Latter does not include "non-interactive" connections, like `ssh host mail -e` ?

Utter guess,
Juha


----------



## SirDice (Oct 11, 2016)

last(1) will show any login, including logins on the console, not just remote logins.


----------



## molofishy (Oct 13, 2016)

Juha Nurmela, I think you are correct: `last` does not show non-interactive logins. like rsyncs/scp's. I just tested this.


----------



## kpa (Oct 13, 2016)

molofishy said:


> Juha Nurmela, I think you are correct: `last` does not show non-interactive logins. like rsyncs/scp's. I just tested this.



This is because they don't start a login shell on connection.


----------



## molofishy (Oct 15, 2016)

Has anyone added a file to /etc/periodic/daily that lists successful logins for _only_ the previous day to be consistent with the other periodic files? `egrep 'sshd\[[0-9]+\]: Accepted' /var/log/auth.log` lists all successful logins within the auth.log file which can contain information from multiple days. If someone has an script around, it would be much appreciated if it could be shared here. 

Another comment: I am curious to know why such a feature is not part of the default set periodic scripts? This could be extremely useful: for example for servers which are typically accessed by a user base from a particular country, or only a few users. Any ip/location which stands out from the norm can be investigated.


----------

