So I want our support team to get an email when someone logs on as root or su to root on our servers. So I saw this:
Want to be notified instantly when someone logs into your server as root? No problem, check out this nice tutorial on email notification for root logins. Keeping track of who logs into your server and when is very important, especially when you're dealing with the super user account. We recommend that you use an email address not hosted on the server your sending the alert from.
So lets get started!
1. Login to your server and su to root, I know the irony!
2. cd /root
3. pico .bashrc
4. Scroll to the end of the file then add the following:
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you@yourdomain.com
Replace YourServerName with the handle for your actual server
Replace you@yourdomain.com with your actual email address
5. Crtl + X then Y
Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert a few minutes afterwards.
But I changed to this:
Edit root (or whatever user you wanted) .bash_profile
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `netstat | grep ssh`" you@yourdomain.com
Replace YourServerName with the handle for your actual server
Replace you@yourdomain.com with your actual email address
This netstat gives you all users connected to your box via ssh at that time, not just the specific user who just sshed in.
Example Output (user SSH sessions from my home laptop ip of 70.131.105.251:
tcp 0 0 ls3.harmonicwebhosting.:ssh adsl-70-131-105-251.d:61852
ESTABLISHED
tcp 0 220 ls3.harmonicwebhosting.:ssh adsl-70-131-105-251.d:63195
ESTABLISHED
ALERT - Root Shell Access on (ls3.harmonicwebhosting.com-64.254.200.10): Fri Jul 3
11:37:51 CDT 2009
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment