Shashikant shah

Monday, 15 October 2012

Email alert on root SSH login

Why should I enable email alert for every root login?
If you want to get notified instantly when someone logs into your server with date, time and local ip address then you need to enable email alerts.
 
What are the disadvantages of enabling email alerts?
None. Please do make sure that the email address on which u want to get the alert is not hosted on the same server.
How can I enable email alerts?
Applies to: RedHat, CentOS, Ubuntu
1) Login to the server as root.
2) Open the .bashrc file under /root :
# vi /root/.bashrc
3) Append the following to the file :
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" user@example.com
Replace user@example.com with the email address on which u want to get the email alert.
4) Save and exit.
Now logout and login again as root, you should receive a root login alert email.
When you login again as root and if you are prompted with this error (assuming use of postfix):
postdrop: warning: unable to look up public/pickup: No such file or directory
then do this:
# mkfifo /var/spool/postfix/public/pickup
# ps aux | grep mail
# kill [insert process number]
# sudo /etc/init.d/postfix restart
Now logout and login again as root, you should receive an email of the root login alert.

Get email alerts for each SSH root login to your server

There are 3 files that can be run once a user logs in (and the Bash Shell starts) and we will add a line in one of these which will email a notification to a given email address whenever the root user logs in. The 3 possible files are in the root user's home directory:
·         .bash_profile
·         .bash_login
·         .profile
Bash looks for those scripts in that order and once it has found a file that matches that filename, it and only it, is run. For example, if there is a .bashprofile file, any commands in .bashlogin will not be called.
So once you have logged in as root
$ cd

$ ls -al



This will give you a list of all files in root's home directory and see which of the above three files exist and open the one that gets called first. Insert this line
echo "ALERT - Root Shell Access on:" `date` `who` | mail -s "Alert: Root Access on SERVER" YOU@DOMAIN.COM



Change SERVER to your server name and YOU@DOMAIN.COM to your email address. Then logout and back in again and check your inbox for a notification

No comments:

Post a Comment