FedoraForum.org - Fedora Support Forums and Community
Results 1 to 7 of 7
  1. #1
    Join Date
    Sep 2008
    Posts
    5

    Email on ALL ssh login attempts.

    I know this is probably easy and if I only took a while to figure it out maybe I could but I have some stuff that needs to happen soon and I can't figure this out. I was wondering how I could have a log monitor that would email me whenever someone tries to login over ssh to my system. I'm open to everything daemons/scripts or cron it all works as I am not running a production server (but I might be starting that soon). Oh and just a side how do I get sent an email when I get port scanned.

    --Thanks
    Last edited by monks700; 28th April 2009 at 02:23 AM.

  2. #2
    Join Date
    Nov 2007
    Posts
    42
    I suppose the easiest way would be to take advantage of the .bashrc file in the users' home directory. Just add a sendmail line [or ssmtp] in the file. You probably want to change the permissions so the user can't delete the sendmail line. For this I will use SSMTP.
    [install from the repos, and follow the guide here

    First make your message file.

    (.loginmessage)
    Code:
    To: myemailaddress@server.com
    From: myemailaddress@server.com
    Subject: SSH Login
    
    Login by:
    Then put this in /home/[user]/.bashrc
    Code:
    # .bashrc
    
    # Source global definitions
    if [ -f /etc/bashrc ]; then
    	. /etc/bashrc
    fi
    
    # User specific aliases and functions
    cp .loginmessage .loginmessagetmp
    
    whoami >> .loginmessagetmp
    echo "   On the local server at:" >> .loginmessagetmp
    date -u >> .loginmessagetmp
    
    ssmtp myemailaddress@server.com < .loginmessagetmp
    rm -rf .loginmessagetmp
    You should also consider looking at the ssh logs. you can use at or cron to email the file /var/log/secure.

  3. #3
    Join Date
    Sep 2008
    Posts
    5
    The code you gave only shows successful logins but I need it to email me on failed logins aswell. If I do have it email me the secure log I would only want it to email on failed attempts.

  4. #4
    Join Date
    Nov 2007
    Posts
    42
    As root (or change permissions on /var/log/secure):
    Code:
    #!/bin/bash
    touch mail.tmp
    echo "To: myemailaddress@server.com" > mail.tmp
    echo "From: myemailaddress@server.com" >> mail.tmp
    echo "Subject: SSH Login" >> mail.tmp
    echo "" >> mail.tmp
    cat /var/log/secure | grep "Failed password" >> mail.tmp
    ssmtp myemailaddress@server.com < mail.tmp
    rm -rf mail.tmp
    You could probably use the 'at' command or cron to schedule it to be sent regularly. Hope this is what you wanted.

  5. #5
    Join Date
    Dec 2008
    Posts
    4
    http://www.fail2ban.org/wiki/index.php/Main_Page
    Fail 2 Ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
    It can also be configured to email you on each failed login attempt.

  6. #6
    Join Date
    Sep 2008
    Posts
    5

    At command

    @zach what Is the at command and how is it used especially in this situation
    @mrT thnks I'll look into it.

  7. #7
    Join Date
    Nov 2007
    Posts
    42
    From the at man page:


    DESCRIPTION
    at and batch read commands from standard input or a specified file
    which are to be executed at a later time.

    at executes commands at a specified time.

    For example, to run a job at 4pm three days from now, you would do at
    4pm + 3 days, to run a job at 10:00am on July 31, you would do at 10am
    Jul 31 and to run a job at 1am tomorrow, you would do at 1am tomorrow.

    The exact definition of the time specification can be found in
    /usr/share/doc/at-3.1.10/timespec.

    -t time_arg
    Submit the job to be run at the time specified by the
    time_arg option argument, which must have the same format
    as specified for the touch(1) utility’s -t time option
    argument ([[CC]YY]MMDDhhmm).
    So maybe something like:
    Code:
    at 1200 today << !!
    ssmtp myemailaddress@server.com < mail.tmp
    !!
    Take a look at this page for cron and at: http://www.rahul.net/raithel/MyBackPages/crontab.html

Similar Threads

  1. Unauthorized login attempts
    By joegumbo in forum Security and Privacy
    Replies: 34
    Last Post: 14th September 2007, 04:37 PM
  2. pure-ftp refuses any login attempts
    By copey in forum Servers & Networking
    Replies: 1
    Last Post: 18th June 2007, 09:18 PM
  3. limit failed login attempts
    By lerningkurv in forum Security and Privacy
    Replies: 11
    Last Post: 31st May 2005, 04:40 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •