1

I followed these instructions

How to Get Root and User SSH Login Email Alerts

You have to add this code to .bashrc

`echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" your@yourdomain.com`

I do get the notifications but I am aslo getting ones that apear to originate from the localhost as well (every couple of minutes) Can I exclude the localhost ones or is there a better way to only get the mail when some one logs in remotely?

Sl33py
  • 145
  • 1
  • 2
  • 9
  • The best and the only appropriate approach is to [Disable Root SSH Login](https://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/). No need for email alerts. If something bad happens, it'd be already too late when you finally read the email notification. – Esa Jokinen Jun 13 '17 at 06:10
  • I only allow access by ip address, we are only 2 using the server but I think unauthorized access is happening from the other user – Sl33py Jun 13 '17 at 07:26

2 Answers2

1

The best & the only appropriate approach is to Disable Root SSH Login. No need for email alerts. If something bad happens, it'd be already too late when you finally read the email notification. That is already explained in the article you were following:

So it’s not a good practice to allow direct root login via SSH session and recommend to create non root accounts with sudo access. Whenever root access needed, first logged in as normal user and then use su to switch over to root user. To disable direct SSH root logins, follow our below [Disable SSH Root Login and Limit SSH Access] article that shows how to disable and limit root login in SSH.

If you are still willing to use email alerts instead...

The .bashrc solution seems to be very popular, but has some problems. It gets to run (always and only) when bash is launched. It stops to work if replaced by any other shell, or shell not launched (e.g. login only used for tunneling on SFTP), and it also runs even when SSH is not involved. An attacker could modify the .bashrc before invoking bash in order to circumvent your alert.

Since you probably don't use SSH internally, using ~/.ssh/rc would meet the desired conditions, e.g.

ip=`echo $SSH_CONNECTION | cut -d " " -f 1`
echo "Root login from $ip" | mail -s "Alert: SSH root login from $ip" your@example.com

Then, for global SSH login alerts I wouldn't use anything in users home ~/ as the user can easily modify it. The ~/.ssh/rc can be made a global default by using /etc/ssh/sshrc, and any user can override the settings by using own ~/.ssh/rc, with an easy fallback by removing the file.

If you need to enforce the alert in a way a user cannot override, you could use /etc/pam.d/sshd: add line session optional pam_exec.so seteuid /path/to/login-notify.sh where the .sh script sends you (or the user) email.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • I did it in ~/.ssh/rc which will be fine for me, nagios send me to many logins when it was in /etc/pam.d/sshd :) – Sl33py Jun 13 '17 at 08:28
  • That's the solution that does exactly what you want in your question. The rest are just for completeness. – Esa Jokinen Jun 13 '17 at 08:40
0

I published a bash script on Github Gist that does what you're looking for. It will email the system administrator anytime a user logs in from a new IP address. I use the script scrutinize logins on our tightly controlled production systems. If a login is compromised, we'd get notified about the unusual login location and have a chance to lock them out of the system before they cause serious damage.

To install the script, just update it with your sysadmin email, and copy it into /etc/profile.d/.

If you wanted to restrict this to only root user logins, then you could deploy it to /root/.bashrc instead of /etc/profile.d/

Elliot B.
  • 1,316
  • 2
  • 18
  • 28