ssh login emails alerts in linux indiancyberdude

How to Set SSH Login Email Alerts in Linux Server

In a production environment, it is crucial to keep track of server activity and user logins for the security of Linux servers. Proper installation, configuration, and security measures are essential to ensure optimal performance and prevent potential threats.

Protecting your server from potential destruction is crucial, especially if a hacker gains root access via brute force tactics over SSH. With such access, they can wreak havoc on your system. To prevent such attacks, check out our helpful articles on securing your server against SSH attacks.

  1. Block SSH Server Brute Force Attacks Using DenyHosts
  2. Use Pam_Tally2 to Lock and Unlock SSH Failed Logins
  3. 5 Best Practices to Secure and Protect SSH Server

enabling direct root login through SSH sessions is not recommended. Instead, it is best to create non-root accounts with sudo access. If root access is required, it’s important to first log in as a regular user and then use the “su” command to switch to the root user. To learn how to disable and limit SSH root login, check out our article below.

  1. Disable SSH Root Login and Limit SSH Access

Improve your server’s security with this guide on detecting root or normal user logins. Learn how to set up email alerts that include the IP address of the last login, allowing you to take action and block SSH access to specific IP addresses using iptables Firewall. Follow these simple steps to protect your system from unauthorized access.

  1. How to Block Port in Iptables Firewall

How to Set SSH Login Email Alerts in Linux Server

To carry out this tutorial, you must have root level access on the server and a little knowledge of nano or vi editor and also mailx (Mail Client) installed on the server to send the emails. depending upon your distribution you can install mailx client using one of the following commands.

On Debian/Ubuntu/Linux Mint
# apt-get install mailx
On RHEL/CentOS/Fedora
# yum install mailx

Set SSH Root Login Email Alerts

Now login as root user and go to root’s home directory by typing cd /root command.

# cd /root

Next, add an entry to the .bashrc file. This file sets local environment variables to the users and does some login tasks. For example, here we setting a an email login alert.

Open .bashrc file with vi or nano editor. Please remember .bashrc is a hidden file, you won’t see it by doing ls -l command. You’ve to use -a flag to see hidden files in Linux.

# vi .bashrc

Add the following whole line at the bottom of the file. Make sure to replace “ServerName” with a hostname of your Server and change “[email protected]” with a your email address.

echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" [email protected]

Save and close the file and logout and log back in. Once you login via SSH, a .bashrc file by default executed and sends you an email address of the root login alert.

Sample Email Alert
ALERT - Root Shell Access (Database Replica) on: Thu Nov 28 16:59:40 IST 2013 indiancyberdude pts/0 2013-11-28 16:59 (172.16.25.125)

Set SSH Normal User Login Email Alerts

Login as normal user (indiancyberdude) and go to user’s home directory by typing cd /home/indiancyberdude/ command.

# cd /home/indiancyberdude

Next, open .bashrc file and add the following line at end of the file. Make sure to replace values as shown above.

echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" [email protected]

Save and close the file and logout and login again. Once you login back again, a .bashrc file executed and sends you an email address of the user login alert.

This way you can set an email alert on any user to receive login alerts. Just open the user’s .bashrc file which should located under the user’s home directory (i.e. /home/username/.bashrc) and set the login alerts as described above.


Posted

in

by