Shulou(Shulou.com)06/03 Report--

Linux login prompt (static / dynamic MOTD)

After the user enters the password or logs in successfully using the key, let the server automatically perform several simple operations for us, such as printing prompts, printing exception messages, executing a script, or sending e-mail. Be able to prompt the registrant in advance, so that we can quickly understand the important information of the machine before logging in to the machine to take any action. Doesn't it look interesting? We might think that this has no direct impact on the security of the server, and it seems a bit redundant to execute a series of commands and scripts (such as collecting information about the use of server resources) each time you log in. Therefore, if you are in a production environment of the Linux server and need to configure login prompts, such as login to execute commands, scripts, etc., we do not have to write a complex, huge script, the execution time of the script is critical, and if you do not want to wait a few seconds or more after entering the login password correctly, then optimize the execution time of the script to a few milliseconds or less as much as possible. (the prompt or operation after login is as simple and beneficial as possible. If you want to do this)

In most Linux distributions, you can directly modify the / etc/motd file to customize any prompt you want by pasting the prompt message file that needs to be printed (some executable commands or scripts are treated as normal characters / text in the file). The text message in / etc/motd is fixed unless we modify it manually. Therefore, the message customized in / etc/motd is static MOTD.

If you have used the Debian/Ubuntu distribution, you may have found that Ubuntu already has a dynamic MOTD message prompt by default (displaying some current information about the system when logging in via SSH or locally). It is not possible to implement such functionality in RHEL/CentOS as in Debian/Ubuntu, because RHEL/CentOS does not provide any scripts related to it. We can add commands or scripts that need to be executed to the end of these files through environment variable files, such as / etc/profile, / etc/bashrc, etc., so that every time the user logs in, the system will read these files and execute the scripts defined in the file. In addition, you can also use crontab to schedule tasks, regularly execute pre-prepared scripts such as system monitoring and abnormal information collection in the background through crontab, and redirect the collected information to / etc/motd file. When the user logs in to the system, the system monitoring and exception handling information can be displayed.

In Ubuntu, a set of scripts is provided in the directory / etc/update-motd.d/. When the user logs in, the script name is executed in the order of the number of the prefix (00-99), and the output of these scripts is saved to the file / run/motd.dynamic. After the end user successfully logs in, it is printed in the login screen interface. The output is shown in the following figure

/ etc/update-motd.d/ script list:

00-header

10-help-text

50-landscape-sysinfo

90-updates-available

91-release-upgrade

98-fsck-at-reboot

98-reboot-required

These are the scripts that provide dynamic MOTD messages by default in Ubuntu 14.04 LTS, which can be modified or added to your own scripts. For example, replace it with your own customized script.

Here are some simple examples of customizing MOTD in RHEL/CentOS:

Print a prompt, execute a script, or send an email

Any user prints a prompt message after logging in remotely or locally (such as prompting the logger that this is an important server, requiring the logger to operate with caution)

> > enable SSH service to print MOTD message, configuration file / etc/ssh/sshd_config, and confirm whether to configure as follows (default is yes)

PrintMotd yes

> > modify the / etc/motd file and paste the prompt message into it

[root@localhost ~] # cat / etc/motd * * Note: this is an important production server, please operate carefully! * * if you need to restart / shut down the server, uninstall NFS first *

> > after saving, log in to the server using SSH, enter the correct account password, and prompt as follows

Of course, a simple prompt like this is not enough. We can print it out according to the server's characteristics, running services, file system information and important details, so that other IT personnel can quickly grasp the important information of the server before taking any action. It can also play a vigilant role. You can customize it according to your own situation.

Print dynamic MOTD prompts in RHEL/CentOS

> > any user who logs in remotely via SSH prints the following prompts

> > create a system information collection script

[root@HMing ~] # vim / usr/src/scripts/system_info.sh #! / bin/bash date= `date "+% F% T" `cat "System information as of: $date" kernel= `uname-r`hostname = `echo $hoSTNAME` # Cpu loadload1= `cat / proc/loadavg | awk'{print $1} '`load5= `cat / proc/loadavg | awk' {print $2} '`load15= `cat / proc/loadavg | awk' {print $3}'`# System uptimeuptime= `cat / proc/uptime | cut-F1-d.`upDays = $(uptime/60/60/24) upHours=$ 60 take 60% 24) upMins=$ ((uptime/60%60)) upSecs=$ ((uptime%60)) up_lastime= `date-d "$(awk-F. '{print $1}' / proc/uptime) second ago "+"% Y-%m-%d% H:%M:%S "`# Memory Usagemem_usage= `free-m | awk'/ Mem:/ {total=$2} / buffers\ / cache/ {used=$3} END {printf ("% 3.2f% ", used/total*100)} '`swap_usage= `free-m | awk' / Swap/ {printf"% .2f% " Wc-l` # Userusers= `users | wc-w`USER = `whoami` System fs usageFilesystem=$ (df-h | awk'/ ^ / dev/ {print $6}') # InterfacesINTERFACES=$ (ip-4 ad | grep 'state' | awk-F ":"! / ^ [0-9] *:? lo/ {print $2}') echoecho "+" echo "$head" echo "-- -"printf" Kernel Version:\ t% s\ n "$kernelprintf" HostName:\ t% s\ n "$hostnameprintf" System Load:\ t% s% s\ n "$load1" $load5 $load15printf "System Uptime:\ t% s" days "% s" hours "% s" min "% s" sec "\ n" $upDays $upHours $upMins $upSecsprintf "Memory Usage:\ t% s\ t\ t\ tSwap Usage:\ t% s\ n" $mem_usage $swap_usageprintf "Login Users:\ t% s\ t\ tWhoami:\ t\ t% s\ n" $users $USERprintf "Processes:\ t% s\ n" $processesprintf "\ n" printf "Filesystem\ tUsage\ n" for f in $Filesystemdo Usage=$ (df-h | awk'{if ($NF== "''$favored') print $5}') echo-e" $f\ t\ t$Usage "doneprintf"\ n "printf" Interface\ tMAC Address\ t\ tIP Address\ n "for i in $INTERFACESdo MAC=$ (ip ad show dev $I | grep" link/ether "| awk'{print $2}') IP=$ (ip ad show dev $I | awk'/ inet / {print $2}') printf $I"\ t\ t "$MAC"\ t$IP\ n "doneecho" + "echo

> > add execution permissions to scripts

[root@HMing ~] # chmod + x / usr/src/scripts/system_info.sh

> > add the pathname of the script to the end of the / etc/profile file

[root@HMing] # tail-1 / etc/profile/usr/src/scripts/system_info.sh

Any user sends an email message after logging in remotely or locally

> > the demonstration is as follows

> > send the email as follows

> > create a script / usr/src/scripts/my-server-login-mail to send mail, as follows

#! / bin/bashsmtp=smtp.163.comsmtp_auth_user=xxxxxxsmtp_auth_password=xxxxxxxxxxfrom=xxxxxxxx@163.com function HEAD {Kernel_version= `uname-r`date `last-a | grep "logged in" | wc-l`date-d "$(awk-F.'{print $1}'/ proc/uptime) second ago" + "% Y-%m-%d% H:%M:%S" `Up_runtime= `cat / proc/uptime | awk-F. '{run_days=$1 / 86400scatter runners hourly = ($1% 86400) / 3600th runners details = ($1% 3600) / 60th runners secondhands hours1% 60 Printf ("d days, d hours, d minutes, d seconds", run_days,run_hour,run_minute Run_second)} 'Last_user= `last | awk' (/ pts/) & & (/-/) {print "User:" $1 "-"OlineTime:" $NF "-" IP: "$3"-"" LoginTime: "$4"$5"$6"$7}'| head-1 | sed-e's / (/ / g'-e's /) / / g``echo-e" echo " -e "\ email prompt: unknown identity source uses ${USER} user to log in to the system-System information hostname: within $HOSTNAME Nuclear version: $Kernel_version system run time: $Up_runtime Last restart time: $Up_lastime current login users: $Login_user Last login user: $Last_user-- "} HEAD > / tmp/.loginmail title= "host: `echo $HOSTNAME` login prompt (`cat" +% F% T "`)" body= `cat / tmp/ .loginmail`to = 741616710@qq.com sendEmail-s "$smtp"-xu "${smtp_auth_user}"-xp "${smtp_auth_password}"-f "$from"-t "$to"-u "$title"-m "$body" & > / dev/null & & rm-rf / tmp/.loginmail

There are many programs that send mail in Linux, here I use sendEmail, you can also use other programs to send mail.

> > add the script absolute pathname to the end of the / etc/profile file

[root@HMing] # tail-1 / etc/profile/usr/src/scripts/my-server-login-mail

Conclusion

Dynamic MOTD is available out of the box in Ubuntu because it has been integrated into a module of the system and called through pam_motd.so. However, we can modify the pre-configured script on the system at any time and put the script in the / etc/update-motd.d/ directory, such as the script for collecting system exception information. When the user logs in, it will be fed back to the user at the first time, or the real-time monitoring of the login record of the system. By sending an email to the user, the user can quickly find out whether the server has been attacked. For the RHEL/CentOS distribution, I also give a few simple demonstration examples to implement dynamic MOTD. Interested students can be used as a reference.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.