[Feature Request] Ability to log when someone logs into the router (ssh or Web GUI)?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Rocketboy235

Occasional Visitor
Hello,

I was wondering if it would be possible to add a feature where you can see when someone tries to log into the router (whether a successful or failed attempt) from some IP address/device connected to the router and how long they have been logged in for.

Thought this might be useful for some cases such as when you want to know if someone else living in your house is trying to take over the router (such as your tech-inclined kids) and if they may know the login account information somehow without telling you anything.

What do you guys think? Something worth implementing or not worth it at all?
 

dave14305

Part of the Furniture
Don’t you see such messages now in the System Log?
 

Butterfly Bones

Very Senior Member
Syslog captures all log in and log out. Not sure if there is a way to monitor and send an email or whatever.
Code:
Dec 21 18:06:20 RT-AC86U-4608 dropbear[2670]: Child connection from 192.168.X.X:41651
Dec 21 18:06:20 RT-AC86U-4608 dropbear[2670]: Password auth succeeded for 'usr_name' from 192.168.X.X:41651
Dec 21 18:07:02 RT-AC86U-4608 dropbear[2670]: Exit (usr_name): Exited normally
 

Martineau

Part of the Furniture
Hello,

I was wondering if it would be possible to add a feature where you can see when someone tries to log into the router (whether a successful or failed attempt) from some IP address/device connected to the router and how long they have been logged in for.

Thought this might be useful for some cases such as when you want to know if someone else living in your house is trying to take over the router (such as your tech-inclined kids) and if they may know the login account information somehow without telling you anything.

What do you guys think? Something worth implementing or not worth it at all?
This crude SyslogEventMonitor.sh script I posted way back should get you started

Download the script
Code:
curl -kL https://pastebin.com/raw.php?i=p4vWDu8J -o /jffs/scripts/SyslogEventMonitor.sh;dos2unix /jffs/scripts/SyslogEventMonitor.sh;chmod +x /jffs/scripts/SyslogEventMonitor.sh
then clone a new case statement section for the new Messages or for quick testing, simply change the MSG0001T variables from WAN monitoring

e.g.
Code:
MSG0001T="SSH Login Monitor"                        # Title for Syslog messages/SendMail
MSG0001C=0                                          # DOWN message count
MSG0001D="Child connection from"                    # DOWN Trigger message
MSG0001U="Password auth succeeded for"              # UP message: Reset monitoring/recovery action message or perhaps any of these???
MSG0001XU=                                          # UP   action script
MSG0001XD=                                          # DOWN action script
To test, run the script in a terminal
Code:
./SyslogEventMonitor.sh
then create login attempts - I have an Xshell6 desktop icon to always open 4 new SSH session Tabs (Scripting, Backups, HTOP and Syslog) so that is why they appear so quickly:cool:

e.g. four successful....
Code:
RT-AC68U (PastebinScript.sh): 468 v1.01 © 2016-2018 Martineau. Get Pastebin script 'SyslogEventMonitor.sh'.... https://pastebin.com/raw.php?i=p4vWDu8J

RT-AC68U (SyslogEventMonitor.sh): 10297 v1.01 Syslog Event Monitor started.....

RT-AC68U dropbear[10374]: Password auth succeeded for 'admin' from xxx.xxx.xxx.111:53832
RT-AC68U (SyslogEventMonitor.sh): 10297 SSH Login Monitor SSH Login successful; Action=''
RT-AC68U dropbear[10394]: Password auth succeeded for 'admin' from xxx.xxx.xxx.111:53833
RT-AC68U (SyslogEventMonitor.sh): 10297 e-mail sent using curl smtps:// SSL/TLS (non-Certificate) mysmtp.server.com:nnn
RT-AC68U (SyslogEventMonitor.sh): 10297 SSH Login Monitor SSH Login successful; Action=''
RT-AC68U (SyslogEventMonitor.sh): 10297 e-mail sent using curl smtps:// SSL/TLS (non-Certificate) mysmtp.server.com:nnn
RT-AC68U dropbear[10434]: Password auth succeeded for 'admin' from xxx.xxx.xxx.111:53835
RT-AC68U dropbear[10490]: Password auth succeeded for 'admin' from xxx.xxx.xxx.111:53836
RT-AC68U (SyslogEventMonitor.sh): 10297 SSH Login Monitor SSH Login successful; Action=''
RT-AC68U (SyslogEventMonitor.sh): 10297 e-mail sent using curl smtps:// SSL/TLS (non-Certificate) mysmtp.server.com:nnn
RT-AC68U (SyslogEventMonitor.sh): 10297 SSH Login Monitor SSH Login successful; Action=''
RT-AC68U (SyslogEventMonitor.sh): 10297 e-mail sent using curl smtps:// SSL/TLS (non-Certificate) mysmtp.server.com:nnn
These two failed SSH attempt event messages are not in the script, so there was no email request logged in Syslog
Code:
RT-AC68U dropbear[3072]: Login attempt for nonexistent user from xxx.xxx.xxx.111:53969
RT-AC68U dropbear[3302]: Bad password attempt for 'admin' from xxx.xxx.xxx.111:54027
 
Last edited:

AndreiV

Very Senior Member
Spend some time reading the forum/stickies .


https://www.snbforums.com/threads/faq-read-me-first-before-posting-a-question.47153/

Q: Will you add feature XYZ?
A: Chances are that no, since adding new features is a very low priority for this project. Just keeping code in sync with Asus has become nearly a full-time task for this project, and the increasing amount of closed source parts makes it increasingly harder to make significant changes to the firmware.


https://www.asuswrt-merlin.net/about

Asuswrt-Merlin is an alternative, customized version of that firmware. <.............................................> New feature addition is very low on the list of priorities for this project.

Scripts :

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts
 

AndreiV

Very Senior Member
Hello,



Thought this might be useful for some cases such as when you want to know if someone else living in your house is trying to take over the router (such as your tech-inclined kids) and if they may know the login account information somehow without telling you anything.

What do you guys think? Something worth implementing or not worth it at all?
Simple, no need for any scripts :


GUI > Clients > choose 2 of YOUR clients (never one!) > MAC and IP Address Binding > Bind the Mac/IP's then go to GUI > Administration - System > Access restriction list > add devices > Save.

Now only the devices you own/control can access the router.

Your devices are protected obviously ...........?
 

Rocketboy235

Occasional Visitor
Thanks for the responses guys!

Forgot about the access restriction list but not sure if that affects VPN clients connected to the VPN server for the router as well.
I may try out your script, Martineau.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top