How
to Get Root and User SSH Login Email Alerts
Whenever we install, configure and secure Linux servers in
production environment, it’s very crucial to keep track of what is happening
with servers and who logs into server as far as concerned about security of the
server.
Why, because if someone logged into
server as root user using brute force tactics over SSH, then think about
how he will destroy your server. Any user who gains root access can do whatever
he wants. To block such SSH attacks, read our following articles that describes how to protect
servers from such attacks.
So, it’s not a good practice to allow
direct root login via SSH session and recommend to create non root accounts with sudo access.
Whenever root access needed, first logged in as normal user and then
use su to switch over to root user. To
disable direct SSH root logins, follow our below article that shows how to disable and
limit root login in SSH.
However, this guide shows a simple
way to know when someone logged in as root or normal user it should send
an email alert notification to the specified email address
along with the IP address of last login. So, once you know the IP address of last
login made by unknown user you can block SSH login of particular IP address
on iptables Firewall.
How
to Set SSH Login Email Alerts in Linux Server
To carry out this tutorial, you must
have root level access on the server and a little knowledge of nano or vi editor and
also mailx (Mail Client) installed on the server to send the emails. Depending upon
your distribution you can install mailx client using
one of the following commands.
On
Debian/Ubuntu/Linux Mint
# apt-get install mailx
On
RHEL/CentOS/Fedora
# yum install mailx
Set
SSH Root Login Email Alerts
Now login as root user and go
to root’s home directory by typing cd /root command.
# cd /root
Next, add an entry to the .bashrc file. This
file sets local environment variables to the users and does some login tasks.
For example, here we setting a an email login alert.
Open .bashrc file with vi or nano editor.
Please remember .bashrc is a hidden file, you won’t see it by doing ls -l command.
You’ve to use -a flag to see hidden files in Linux.
# vi .bashrc
Add the following whole line at the
bottom of the file. Make sure to replace “ServerName” with a hostname of your
Server and change “your@yourdomain.com” with a your email address.
echo 'ALERT - Root Shell Access
(ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who |
cut -d'(' -f2 | cut -d')' -f1`" your@yourdomain.com
Save and close the file and logout
and log back in. Once you login via SSH, a .bashrc file by
default executed and sends you an email address of the root login alert.
Sample Email Alert
ALERT - Root Shell Access
(Database Replica) on: Thu Nov 28 16:59:40 IST 2013 tecmint pts/0 2013-11-28
16:59 (172.16.**.***)
Set
SSH Normal User Login Email Alerts
Login as normal user (infosol) and go to user’s
home directory by typing cd /home/infosol/ command.
# cd /home/infosol
Next, open .bashrc file and add
the following line at end of the file. Make sure to replace values as shown
above.
echo 'ALERT - Root Shell Access
(ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who |
cut -d'(' -f2 | cut -d')' -f1`" your@yourdomain.com
Save and close the file and logout
and login again. Once you login back again, a .bashrc file executed
and sends you an email address of the user login alert.
This way you can set an email alert
on any user to receive login alerts. Just open the user’s .bashrc file which
should located under the user’s home directory (i.e. /home/username/.bashrc) and set the login
alerts as described above.
No comments:
Post a Comment