Email on ALL ssh login attempts.

[monks700]

I know this is probably easy and if I only took a while to figure it out maybe I could but I have some stuff that needs to happen soon and I can't figure this out. I was wondering how I could have a log monitor that would email me whenever someone tries to login over ssh to my system. I'm open to everything daemons/scripts or cron it all works as I am not running a production server (but I might be starting that soon). Oh and just a side how do I get sent an email when I get port scanned.

--Thanks

[zacharysturgeon]

I suppose the easiest way would be to take advantage of the .bashrc file in the users' home directory. Just add a sendmail line [or ssmtp] in the file. You probably want to change the permissions so the user can't delete the sendmail line. For this I will use SSMTP.
[install from the repos, and follow the guide here

First make your message file.

(.loginmessage)

Code:

To: myemailaddress@server.com
From: myemailaddress@server.com
Subject: SSH Login

Login by:

Then put this in /home/[user]/.bashrc

Code:

# .bashrc

# Source global definitions
if [ -f /etc/bashrc ]; then
	. /etc/bashrc
fi

# User specific aliases and functions
cp .loginmessage .loginmessagetmp

whoami >> .loginmessagetmp
echo "   On the local server at:" >> .loginmessagetmp
date -u >> .loginmessagetmp

ssmtp myemailaddress@server.com < .loginmessagetmp
rm -rf .loginmessagetmp

You should also consider looking at the ssh logs. you can use at or cron to email the file /var/log/secure.

[monks700]

The code you gave only shows successful logins but I need it to email me on failed logins aswell. If I do have it email me the secure log I would only want it to email on failed attempts.

[zacharysturgeon]

As root (or change permissions on /var/log/secure):

Code:

#!/bin/bash
touch mail.tmp
echo "To: myemailaddress@server.com" > mail.tmp
echo "From: myemailaddress@server.com" >> mail.tmp
echo "Subject: SSH Login" >> mail.tmp
echo "" >> mail.tmp
cat /var/log/secure | grep "Failed password" >> mail.tmp
ssmtp myemailaddress@server.com < mail.tmp
rm -rf mail.tmp

You could probably use the 'at' command or cron to schedule it to be sent regularly. Hope this is what you wanted.

[MrT]

http://www.fail2ban.org/wiki/index.php/Main_Page
Fail 2 Ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
It can also be configured to email you on each failed login attempt.

[monks700]

@zach what Is the at command and how is it used especially in this situation
@mrT thnks I'll look into it.

[zacharysturgeon]

From the at man page:

DESCRIPTION
at and batch read commands from standard input or a specified file
which are to be executed at a later time.

at executes commands at a specified time.

For example, to run a job at 4pm three days from now, you would do at
4pm + 3 days, to run a job at 10:00am on July 31, you would do at 10am
Jul 31 and to run a job at 1am tomorrow, you would do at 1am tomorrow.

The exact definition of the time specification can be found in
/usr/share/doc/at-3.1.10/timespec.

-t time_arg
Submit the job to be run at the time specified by the
time_arg option argument, which must have the same format
as specified for the touch(1) utility’s -t time option
argument ([[CC]YY]MMDDhhmm).

So maybe something like:

Code:

at 1200 today << !!
ssmtp myemailaddress@server.com < mail.tmp
!!

Take a look at this page for cron and at: http://www.rahul.net/raithel/MyBackPages/crontab.html