Saturday, April 3, 2010

Locked Out User Accounts

In the process of coming up with daily/weekly checklists one thing that we wanted to check for was locked out user accounts.  This would tell us if someone accidentally locked out their account or if an account got locked out due to a brute force attack.  I threw together a perl script that would parse the /etc/shadow file for locked out user accounts and then made a cron job for it to check every six hours.

#!/usr/bin/env perl

# Open the /etc/shadow file for reading
open(my $in, "<", "/etc/shadow") or die "Can't open the file: $!";

# Parse each line looking for locked out accounts
while (<$in>){

        # File Format username:password:0:99999:0:::
        if ($_ =~ m/:!/){

                # If a locked out user is found print their username
                @user = split (/:/);
                print "Found locked out account: $user[0]\n";

        }

}
Posted by at
Labels: ,

2 comments:

Subscribe to: Post Comments (Atom)