Friday, December 02, 2005

Fun with bash

In an effort to secure my internal network, I'm adding an access server. Initially, the firewall routed SSH to one of my application servers. Now it routes to a dedicated access server.
  Previous: Internet -> Router - > Server -> Network
  Current: Internet -> Router - > Access -> Network
Admittedly, this doesn't seem that different. The issue is the configuration of the system. The application server has to be accessible to other systems, so its security systems are somewhat basic. By using the access server, I can rachet the security as tight as it will go. Toward that goal, I've implemented within bash a few fun features.

In /etc/bashrc, I've appended:
  if [ "$PS1" ]; then
      USER=`cat /etc/passwd | grep ":$UID:$UID:" | awk -F: '{print $1}'`
      date +"%d %H:%M:%S" | mail -s "$USER login"

Whenever someone logs in (or su's to root) I get a message.

In each users .bash_logout file, I've added:
  (sleep 3;   mv ~/.bash_history /tmp/flytrap/`date +"%d%H%M%S"`;  touch ~/.bash_history) &
The parens make this compound command execute in the background. The user's history file is committed to the drive, then (3 seconds later) moved to the flytrap. The flytrap is a directory where users can write, but they can not read (thus view):
  # ls -ld /tmp/flytrap
  d-------wt 2 root root 4096 Dec 2 13:35 /tmp/flytrap

Of course, I've changed the ownership and permissions on ~/.bash_logout to prevent the script kiddies from messing with it.

No comments:

Post a Comment