Can anybody create a script or something like that to help me which unathorized users are connected from the outside world. The command such as who ,netstat provides information of all users but i want to generate a list of those usres which are not authorized to connect any of the services but still get connected anyhow ??? when running above commande I have to check each variable which are my known or unknown and base upon that information we came to any conclusion and that takes significiant time. If there would be any command or script running which could genarate a list of that users to simply my monitoring task.


i 'd monitord someone on internet host 156.12.14.111 had connected with my computer. but now no connection from that IP address?: I want to know which files are modified from that IP or which configurations has been altered from that host ?How can I check that ?

unathorized users are connected from the outside world. The command such as who ,netstat provides information of all users but i want to generate a list of those usres which are not authorized to connect any of the services
Which "services" are you talking about, what does "the outside world" mean in relation to your box (anything not LAN? just some TLD's? or literally the whole world except a few IP ranges?) and what measures did you take to control access (so you can differentiate "authorised" from "unauthorised" "users")?

We have one mail server, apache server and ssh/telnet enabled services which are accessed by internal users as well as by VPN clients from the remote locations. But I want to take some precautionary measures so that if in case others (not authenticated)users connect to any of these services , a customized report/file will be generated so that i could refer to the log files to trace individual line

If the server(s) are located behind a firewall/router and
- (is/are located in a DMZ)? and
- (traffic is being scrubbed by an IDS)? and
- the edge firewall is configured so only LAN and VPN clients have access to it and is logging attempts and
- the server (host-based) is configured so only LAN and VPN clients have access to it and is logging attempts and
- the services on server(s) are properly configured so only LAN and VPN clients have access to it and are logging attempts
then you have more than enough data to generate reporting. You can chose for per-host reporting or you could deploy a central syslog server and for instance use Logwatch, Swatch, Logsurfer (old?) or Logsentry (old?) to generate reports. Determine if you need (near-)realtime alerting, multiple log checking tools and review the features of the products to see if they fit your requirements. See the LQ FAQ: Security references, post #1 under "Log analysis tools, resources" for application-specific tools or Freshmeat or Sourceforge.