Email alert on root SSH login
Posted on August 19, 2012 by Sanchit
Matta
Why should I enable email
alert for every root login?
If you want to get notified instantly when
someone logs into your server with date, time and local ip address then you
need to enable email alerts.
What are the
disadvantages of enabling email alerts?
None. Please do make sure that the email address on which u want
to get the alert is not hosted on the same server.
How can I enable email
alerts?
Applies to: RedHat, CentOS, Ubuntu
1) Login to the server as root.
2) Open the .bashrc file under /root :
# vi /root/.bashrc
3) Append the following to the file :
echo 'ALERT - Root Shell
Access on:' `date` `who` | mail -s "Alert: Root Access from `who | cut
-d"(" -f2 | cut -d")" -f1`" user@example.com
Replace user@example.com with the email address on which u want
to get the email alert.
4) Save and exit.
Now logout and login again as root, you should receive a root
login alert email.
When you login again as root and if you are
prompted with this error (assuming use of postfix):
postdrop: warning: unable to look up public/pickup: No such file or directory
postdrop: warning: unable to look up public/pickup: No such file or directory
then do this:
# mkfifo /var/spool/postfix/public/pickup
# ps aux | grep mail
# kill [insert process number]
# sudo /etc/init.d/postfix restart
Now logout and login again as root, you should receive an email
of the root login alert.
This entry was posted in CentOS, Fedora, RHEL, Ubuntu and tagged centos, centos server security, email on root login, linux server security, linux server security tips, linux server security tips for beginners, linux server security tips for beginners and dummies, linux server security tips for dummies, linux server security tips for dummies beginners cli
command line, root
login alert, server
security. Bookmark the permalink.
Get email
alerts for each SSH root login to your server
13th February 2010
There are 3 files that can be run once a user logs in (and the
Bash Shell starts) and we will add a line in one of these which will email a
notification to a given email address whenever the root user logs in. The 3
possible files are in the root user's home directory:
·
.bash_profile
·
.bash_login
·
.profile
Bash looks for those
scripts in that order and once it has found a file that matches that filename,
it and only it, is run. For example, if there is a .bashprofile file, any commands in .bashlogin will not be
called.
So once you have logged in as root
$ cd $ ls -al
This will give you a list of all files in root's home directory
and see which of the above three files exist and open the one that gets called
first. Insert this line
echo "ALERT - Root Shell Access on:" `date` `who` | mail -s "Alert: Root Access on SERVER" YOU@DOMAIN.COM
Change SERVER to your server name and YOU@DOMAIN.COM to your
email address. Then logout and back in again and check your inbox for a
notification
E-mail Alert on Root SSH Login
Want to be notified instantly when someone logs into your server
as root? No problem, check out this nice tutorial on email notification for
root logins. Keeping track of who logs into your server and when is very
important, especially when you're dealing with the super user account. We
recommend that you use an email address not hosted on the server your sending
the alert from.
So lets get started!
1. Login to your server and su to root, I know the irony!
2. cd /root
3. pico .bashrc
4. Scroll to the end of the file then add the following:
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" you@yourdomain.com
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" you@yourdomain.com
Replace YourServerName with the handle for your actual server
Replace you@yourdomain.com with your actual email address
Replace you@yourdomain.com with your actual email address
5. Crtl + X then Y
Now logout of SSH, close the connection and log back in! You
should receive an email address of the root login alert a few minutes
afterwards.
Note: This is a great tool for servers that have multiple admins
or if you give someone SSH access for whatever reason, although you should give
out the root password to as few people as humanly possible and be sure to
change it often.
This will not magically alert you when a hacker runs the latest
kernel exploit on your server and logs into SSH because they will create their
own SSH/telnet connection. You should keep your system up to date, install a
firewall and follow the latest security releases.
Similar
Articles : Compile 2.6.7, 2.6.8, 2.6.8.1, 2.6.9, 2.6.10, 2.6.11.6
Kernel w/module-init-tools, Rkhunter Installation, Detect and Clean a hacked server T0rnkit Tutorial, How to install KISS Firewall, How to Disable Telnet, How to install mod_security for Apache, How to install BFD (Brute Force Detection), How to install APF (Advanced Policy Firewall), E-mail Alert on Root SSH Login, Mask Your Web Server for Enhanced Security,Guide to Chkrootkit - checking for intruders, Creating a Welcome message for SSH logins, Disable Direct Root Login, RootCheck - Root Check, Changing APF log for TDP/UDP drop's