#!/bin/bash # # Suspicious Login Monitor - Configuration Example # Copy this file to suspicious-login-monitor.conf and customize # # Usage: # cp suspicious-login-monitor.conf.example suspicious-login-monitor.conf # Edit suspicious-login-monitor.conf with your settings # source suspicious-login-monitor.conf # bash suspicious-login-monitor.sh # # =================================================================== # FALSE POSITIVE REDUCTION SETTINGS # =================================================================== # Check package manager logs to identify legitimate system updates # Recommended: yes (reduces false positives by ~80% for package updates) export FP_CHECK_PACKAGE_LOGS="yes" # Require multiple indicators before raising risk significantly # Recommended: yes (reduces false positives for isolated benign events) export FP_REQUIRE_MULTIPLE_INDICATORS="yes" # Reduce risk for activity during business hours (9am-5pm Monday-Friday) # Recommended: no (default), yes (for environments with regular admin work) export FP_IGNORE_BUSINESS_HOURS="no" # Number of SSH keys in root's authorized_keys before flagging # Default: 10 (was 5) # Increase for multi-admin environments export FP_SSH_KEY_THRESHOLD="10" # Number of password changes before flagging as "mass change" # Default: 5 accounts # Increase for hosting providers with many customers export FP_PASSWORD_CHANGE_THRESHOLD="5" # Minimum account age (in days) before considering "established" # Accounts older than this are less suspicious # Default: 30 days export FP_MIN_ACCOUNT_AGE_DAYS="30" # =================================================================== # WHITELIST / IGNORE SETTINGS # =================================================================== # Trusted users (comma-separated) # Changes by these users receive reduced risk scores # Example: "admin,bob,alice,deploy" export FP_WHITELIST_USERS="" # Trusted IP addresses (comma-separated) # Login attempts from these IPs receive reduced risk scores # Example: "192.168.1.100,10.0.0.50,172.16.1.10" export FP_WHITELIST_IPS="" # Users to completely ignore (comma-separated) # These users will be filtered out of all detections # Useful for service accounts, backup users, etc. # Example: "deploy,backup,monitoring,jenkins" export FP_IGNORE_USERS="" # Safe time windows for maintenance (comma-separated) # Format: Day:StartHour-EndHour or *:StartTime-EndTime # Day: Mon, Tue, Wed, Thu, Fri, Sat, Sun, * (any day) # Examples: # "Sun:02-04" = Sunday 2am-4am # "*:03-03:30" = Every day 3:00am-3:30am # "Sun:02-04,*:03-04" = Sunday 2am-4am AND every day 3am-4am export FP_SAFE_TIME_WINDOWS="" # =================================================================== # EXAMPLE CONFIGURATIONS BY USE CASE # =================================================================== # -------------------------------------------------------------------- # SHARED HOSTING PROVIDER (Many customer accounts, frequent activity) # -------------------------------------------------------------------- #export FP_SSH_KEY_THRESHOLD="20" #export FP_PASSWORD_CHANGE_THRESHOLD="20" #export FP_IGNORE_BUSINESS_HOURS="yes" #export FP_CHECK_PACKAGE_LOGS="yes" #export FP_IGNORE_USERS="cpanel,nobody,mailnull" #export FP_SAFE_TIME_WINDOWS="*:02-04" # Nightly backups # -------------------------------------------------------------------- # ENTERPRISE (High security, multiple admins, regular maintenance) # -------------------------------------------------------------------- #export FP_SSH_KEY_THRESHOLD="15" #export FP_PASSWORD_CHANGE_THRESHOLD="5" #export FP_IGNORE_BUSINESS_HOURS="yes" #export FP_WHITELIST_USERS="admin1,admin2,admin3" #export FP_WHITELIST_IPS="10.0.1.50,10.0.1.51,10.0.1.52" #export FP_SAFE_TIME_WINDOWS="Sun:02-06,Wed:22-24" # Weekend + mid-week patching # -------------------------------------------------------------------- # DEVELOPMENT/STAGING (Frequent changes, multiple developers) # -------------------------------------------------------------------- #export FP_SSH_KEY_THRESHOLD="25" #export FP_PASSWORD_CHANGE_THRESHOLD="50" #export FP_IGNORE_BUSINESS_HOURS="yes" #export FP_CHECK_PACKAGE_LOGS="yes" #export FP_WHITELIST_USERS="dev1,dev2,dev3,jenkins,gitlab-runner" #export FP_IGNORE_USERS="deploy,staging,ci" #export FP_MIN_ACCOUNT_AGE_DAYS="7" # Devs create test accounts frequently # -------------------------------------------------------------------- # SINGLE ADMIN (High security, minimal legitimate changes) # -------------------------------------------------------------------- #export FP_SSH_KEY_THRESHOLD="5" #export FP_PASSWORD_CHANGE_THRESHOLD="2" #export FP_IGNORE_BUSINESS_HOURS="no" #export FP_REQUIRE_MULTIPLE_INDICATORS="no" #export FP_WHITELIST_IPS="203.0.113.50" # Admin's home IP #export FP_SAFE_TIME_WINDOWS="Sun:01-02" # Sunday 1am automated maintenance # -------------------------------------------------------------------- # MANAGED SERVICE PROVIDER (Multiple customers, frequent access) # -------------------------------------------------------------------- #export FP_SSH_KEY_THRESHOLD="30" #export FP_PASSWORD_CHANGE_THRESHOLD="15" #export FP_IGNORE_BUSINESS_HOURS="yes" #export FP_WHITELIST_USERS="msp-admin,tier1,tier2,tier3" #export FP_WHITELIST_IPS="198.51.100.0/24" # MSP office network (use CIDR notation) #export FP_SAFE_TIME_WINDOWS="*:00-06" # Allow overnight maintenance any day # =================================================================== # USAGE EXAMPLES # =================================================================== # Example 1: Run with this config file # cp suspicious-login-monitor.conf.example suspicious-login-monitor.conf # # Edit suspicious-login-monitor.conf # source suspicious-login-monitor.conf # bash suspicious-login-monitor.sh # Example 2: Set environment variables inline # FP_WHITELIST_USERS="admin,bob" FP_SSH_KEY_THRESHOLD=20 bash suspicious-login-monitor.sh # Example 3: Export for current session # export FP_WHITELIST_USERS="admin,bob,alice" # export FP_WHITELIST_IPS="192.168.1.100,10.0.0.50" # bash suspicious-login-monitor.sh # =================================================================== # TIPS FOR REDUCING FALSE POSITIVES # =================================================================== # 1. Identify your legitimate admin users and add to FP_WHITELIST_USERS # 2. Add your office/VPN IP addresses to FP_WHITELIST_IPS # 3. Set FP_SAFE_TIME_WINDOWS to match your backup/maintenance schedules # 4. Use FP_IGNORE_USERS for service accounts (backup, monitoring, CI/CD) # 5. Increase thresholds for high-activity environments (hosting providers) # 6. Enable FP_IGNORE_BUSINESS_HOURS if you do most admin work during the day # 7. Monitor the script output and adjust based on patterns you see # =================================================================== # MONITORING OUTPUT FOR TUNING # =================================================================== # The script will show context in findings to help you tune: # [admin-active] = Admin was logged in (legitimate activity likely) # [yum_activity] = Package manager was running (legitimate update) # [cpanel] = cPanel created the account (hosting customer) # [business-hours] = Activity during 9am-5pm (less suspicious) # [safe-window] = Activity during configured maintenance window # [all-whitelisted] = All users involved are whitelisted # If you see repeated false positives with specific patterns, add those # users/IPs/times to the whitelist/ignore/safe window settings.