Why should I enable email
alert for every root login?
If you want to get notified instantly when
someone logs into your server with date, time and local ip address then you
need to enable email alerts.
What are the
disadvantages of enabling email alerts?
None. Please do make sure that the email address on which u want
to get the alert is not hosted on the same server.
How can I enable email
alerts?
Applies to: RedHat, CentOS, Ubuntu
1) Login to the server as root.
2) Open the .bashrc file under /root :
# vi /root/.bashrc
3) Append the following to the file :
echo 'ALERT - Root Shell
Access on:' `date` `who` | mail -s "Alert: Root Access from `who | cut
-d"(" -f2 | cut -d")" -f1`" user@example.com
Replace user@example.com with the email address on which u want
to get the email alert.
4) Save and exit.
Now logout and login again as root, you should receive a root
login alert email.
When you login again as root and if you are
prompted with this error (assuming use of postfix):
postdrop: warning: unable to look up public/pickup: No such file or directory
postdrop: warning: unable to look up public/pickup: No such file or directory
then do this:
# mkfifo /var/spool/postfix/public/pickup
# ps aux | grep mail
# kill [insert process number]
# sudo /etc/init.d/postfix restart
Now logout and login again as root, you should receive an email
of the root login alert.
Get email alerts for each SSH root login to your server
There are 3 files that can be run once a user logs in (and the
Bash Shell starts) and we will add a line in one of these which will email a
notification to a given email address whenever the root user logs in. The 3
possible files are in the root user's home directory:
·
.bash_profile
·
.bash_login
·
.profile
Bash looks for those
scripts in that order and once it has found a file that matches that filename,
it and only it, is run. For example, if there is a .bashprofile file, any commands in .bashlogin will not be
called.
So once you have logged in as root
$ cd $ ls -al
This will give you a list of all files in root's home directory
and see which of the above three files exist and open the one that gets called
first. Insert this line
echo "ALERT - Root Shell Access on:" `date` `who` | mail -s "Alert: Root Access on SERVER" YOU@DOMAIN.COM
Change SERVER to your server name and YOU@DOMAIN.COM to your
email address. Then logout and back in again and check your inbox for a
notification
No comments:
Post a Comment