Free Software for Linux, *NIX, and Internet Security

shwatchr: The Shell Watcher

shwatchr is a small program written in Perl that allows any user on a Linux/*NIX system to audit logins to their local account that originate from arbitrary hosts on the Internet. Whenever a login to a user's account is successful (i.e. a shell owned by the user is spawned by the getty/login process), the host from which the connection is established is compared against a list of known/allowed hosts. If the connection originates from a host that is not known/allowed, then the program will either 1) immediately send an email to an "offshore" (i.e. not the same email address associated with the user) email address that includes the time and the source from which the connection was established or 2) issue a warning to the person who has logged into the system and proceed to kill all user shells. These two actions may be combined to send email first and then kill all shells, and in addition there is a logging option. Execution of shwatchr does not require root privledges; only the privledges already associated with the user. This allows people who do not have root on a machine (such as a machine at work, an ISP, or a university for example) to have some measure of knowledge and security over who is logging into their accounts. Note: If the email option is chosen, then any login from an unauthorized host is allowed but at least you will know that someone logged into your account from some place they shouldn't have, and hence you will know to go change your password as soon as possible. Also, the shell-kill feature is easily defeated but the corresponding warning message should be enough to deter some attackers from returning again.


Download || Documentation