watching users?

MADcow · Posted: Mon Dec 27, 2004 8:47 am Post subject: watching users?

i provide shell accounts on my network to lots of friends.
lately some of them have been getting me in trouble.
what's the best way to watch what users have been up to? limit bandwidth? and especially limit nmap scanning (but not totally disable it)

and what should i use to sync user accounts, short of installing LDAP or sharing /etc/passwd,shadow,and group over NFS?

basically, i want to see what certain users have been up to, exactly, in the last few hours.
suggestions?

pjp · Administrator Joined: 16 Apr 2002 Posts: 20588

MADcow · Posted: Mon Dec 27, 2004 8:59 am Post subject:

yes. that's what i figured when i started giving out shell accounts, and what i've been doing.
but when they piss off my ISP (like what happened last month), closing their account is too late to prevent the damage.
if i could watch then more effectively, and suspend accounts BEFORE it gets out of control, i would be much more satisfied.

Ateo · Posted: Mon Dec 27, 2004 10:29 am Post subject:

You can always snoop their bash history .

MADcow · Posted: Mon Dec 27, 2004 9:11 pm Post subject:

some people have taken to unsetting it.
not to mention that it's unreliable because they can edit or delete it.

Ateo · Posted: Mon Dec 27, 2004 9:19 pm Post subject:

So create a script that saves a users history at a certain interval while the user is logged in. Don't have it overwrite other files, have it create a new file name with each save.

I dunno, just throwing ideas out.

MADcow · Posted: Mon Dec 27, 2004 9:26 pm Post subject:

they could still unset it.
unset $HISTFILE

and then nothing is echoed to history.

Ateo · Posted: Mon Dec 27, 2004 9:42 pm Post subject:

MADcow · Posted: Mon Dec 27, 2004 9:44 pm Post subject:

i don't see how. $HISTFILE is an env variable. the user owns it, so they can do whatever they want with it. all they're doing is setting it to nothing so that no file is used.

dewke · Posted: Tue Dec 28, 2004 12:12 am Post subject:

First I would change the permissions on nmap, or any other "questionable" application so that non root users cannot execute it. Do not allow non root users to compile code. Tell your "friends" to quit it. If they still are getting you in trouble, well then they aren't your friends are they?

You could write a shell script to run ps and log the results every x minutes. You might not catch everything, but you would see any long term annoying commands.
_________________
Oderint dum metuant
-Caligula

Tazok · Guru Joined: 25 Oct 2003 Posts: 310

You could set up process accounting. This way you know exactly which programs they were running, for how long, and how much cpu-time they have consumed.