10

My CentOS/RHEL system may have been hacked, I'm not sure. But I'm playing it safe by creating a new slice from scratch.

I've installed tripwire, but I'd also like to be emailed when anyone logs in. I don't want to wait for the daily logwatch report, I want an immediate email when anyone logs in. Preferably with their ip address too.

Suggestions?

Similar to Send email alert on log file entry? but maybe someone has a technique for this specific issue.

Thanks,

Larry

Added: http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1249534744623+28353475&threadId=698232 has some ideas

Community
  • 1
LarryK
  • 336
  • 1
  • 3
  • 15

7 Answers7

9

You should use a solucion for log monitoring like OSSEC, it will look on your logs for security information (including login, sudo, etc.) and send you an e-mail when the alert is important.

It's easy to configure and you can raise the alert level for e-mails or include an alert-by-email on the specific alert.

It can also do configurable active-response, blocking IPs and denying access for a period of time by default.

chmeee
  • 7,270
  • 3
  • 29
  • 43
4

you could put this in your .bashrc

echo 'ALERT - Root Shell Access to' $(hostname) 'on:' `date` `who` \
| mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" YOUREMAIL
Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
adam
  • 353
  • 2
  • 5
4

Slight change of adams solution which doesn't break if root is logged into more than one terminals:

login_info="$(who | head -n1 | cut -d'(' -f2 | cut -d')' -f1)"
message="$(
printf "ALERT - Root Shell Access (%s) on:\n" "$(hostname)"
date
echo
who
)"
mail -s "Alert: Root Access from ${login_info}" admin <<< "${message}"
alexh
  • 41
  • 1
2

This article describes how to Send email on SSH login using PAM.

Paul
  • 1,890
  • 3
  • 18
  • 24
2

You can add the appropriate command to, or call a script from, /etc/profile.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
2

Be aware though that if your machine has been hacked it may be a trivial task for the hacker - assuming it's not a script kiddie we're talking about there - to disable the email alerting function.

Maximus Minimus
  • 8,937
  • 1
  • 22
  • 36
  • 4
    Yes, that's why I want an email sent as soon as anyone logs in. -- The server doesn't get that many logins. I figure that way it will lower the odds of someone being able to prevent the email going out about their initial breakin (if via a login shell). – LarryK Aug 06 '09 at 20:39
2

I published a bash script on Github Gist that does what you're looking for. It will email the system administrator anytime a user logs in from a new IP address. I use the script scrutinize logins on our tightly controlled production systems. If a login is compromised, we'd get notified about the unusual login location and have a chance to lock them out of the system before they cause serious damage.

To install the script, just update it with your sysadmin email, and copy it into /etc/profile.d/.

Elliot B.
  • 1,316
  • 2
  • 18
  • 28
  • Please try to not copy-and-paste [your own answers](https://serverfault.com/a/915153/37681). If you feel that questions are essentially the same and the same solution applies to both the preferred method is to [mark one question as duplicate](https://serverfault.com/help/duplicates) of the other. – HBruijn Jun 05 '18 at 06:01
  • @HBruijn I considered that approach. However, in this case, the two questions are similar, but not duplicate -- yet the same answer still applies to both. – Elliot B. Jun 05 '18 at 06:31