How can I configure my server to notify me whenever it is remotely accessed via ssh?

Question

I need to be notified by email when my Ubuntu server is accessed via SSH.

If it is possible, how can I do it?

Possible duplicate: http://serverfault.com/questions/395393/email-notification-about-each-ssh-connection-to-linux-server?rq=1 — belacqua, Aug 01 '14 at 21:32

score 6 · Answer 1 · answered Jun 20 '12 at 16:27

6

pam_script will run any program you want when a user logs in.

answered Jun 20 '12 at 16:27

symcbean

21,009
1
31
52

Just a note: if you're still on Lucid you'll have to compile pam_script yourself (it was included with Oneiric) – Joril Apr 17 '13 at 07:09

BillThor · Answer 2 · 2012-08-09T14:27:45.390

6

You should be able to do so with a rule in /etc/hosts.allow. Try something like:

sshd: ALL: (/usr/bin/echo "SSH connection from %h (%H)" | /usr/bin/mailx -s "SSH Alert" you@example.com)

You can get more detail from a script run from /etc/profile.d, or included in /etc/profile. However, this will only work if the user logs in to an interactive session.

If you don't need immediate notification, the logcheck program can notify you hourly of any accesses in the last hour. You will need to add appropriate rules to the configuration.

EDIT: Ubuntu uses the incompatible hosts_options format to execute shell commands. The follow rule is what I implemented:

SSHD: ALL: spawn (/bin/echo "SSH connection to %H from %h[%a]" | \
     /usr/bin/mailx -s "SSH Alert" me@example.com)

Notes: Backslash notation can be used to wrap lines as above. Substitution characters are documented in the hosts.allow man page.

edited Aug 09 '12 at 14:27

answered Jun 20 '12 at 22:36

BillThor

27,737
3
37
69

I'm getting `ssh_exchange_identification: Connection closed by remote host` error after setting this. Commenting it out in `/etc/hosts.allow` makes it work again. – Mehdi Aug 08 '12 at 20:52
@MHK What happens if you run the commands in brackets at the command line? – BillThor Aug 08 '12 at 22:57
That sends a mail, I had to change `/usr/bin/echo` to `/bin/echo` though on my system. I've disabled root login and password based login via ssh, changed port, watching it with Fail2ban. Other than that, it's a typical Ubuntu 12.04 server edition. – Mehdi Aug 09 '12 at 09:11
You will need to change your command in `/etc/hosts.allow` accordingly. – BillThor Aug 09 '12 at 14:14
I did that before posting the error message here. – Mehdi Aug 10 '12 at 17:55

score 2 · Answer 3 · answered Jun 20 '12 at 16:14

2

Your best bet is to set up a script to watch the log file.

I'm on my phone at the moment, but Check /var/log/access.log

answered Jun 20 '12 at 16:14

gWaldo

11,957
8
42
69

I'm using [swatch](http://packages.ubuntu.com/search?keywords=swatch) – Joril Apr 17 '13 at 07:10
would you care to complete your answer now that you have probably had access to your desktop environment? – tony gil Jun 01 '14 at 14:37

Radius · Answer 4 · 2012-06-21T00:43:48.000

1

The log is on auth.log, you can do a

cat /var/log/auth.log | grep ssh

To actualy send the mail you could install SSMTP, edit it's config as follows:

/etc/ssmtp/ssmtp.conf

root=yourusername@gmail.com mailhub=smtp.gmail.com:465 rewriteDomain=gmail.com AuthUser=yourusername AuthPass=yourpassword FromLineOverride=YES UseTLS=YES

Create a text file with the message body as follows:

To: recipient@gmail.com From: yourusername@gmail.com Subject: SSH warning or whatever

MAIL CONTENT

To add the content you could do:

tail /var/log/auth.log | grep ssh >> /tmp/mailcontents.txt

and then run

ssmtp recipient_name@gmail.com < /tmp/mailcontents.txt

EDIT:

Another OP said you might want a notification each time it happens, you coud do something LIKE this:

create an script with

!/bin/sh

tail /var/log/auth.log | grep ssh >> /tmp/alert&

while true; do
   change=$(inotifywait -e close_write,moved_to,create .)
   change=${change#./ * }
   if [ "$change" = "/tmp/alert" ]; then 
       tail -n 1 /tmp/alert >> /tmp/mailcontents.txt
       ssmtp recipient_name@gmail.com < mailcontents.txt; 
   fi
done

Mailcontents should include the addresses as stated before, the script code has not been checked to be valid, consider it pseudocode.

edited Jun 21 '12 at 00:43

answered Jun 20 '12 at 16:30

Radius

559
2
9

I think the OP wants to be notified when events occur, not create a custom report once. – raphink Jun 20 '12 at 22:53
well same principle, he'd just need to tail /var/log/auth.log permanently with the -f switch as in tail -f --follow=name /var/log/auth.log >> /tmp/alert.log, then he can use inotifywait to track changes in the alert file. – Radius Jun 21 '12 at 00:37
I failed to use ssmtp. It can connect to gmail server but said the authentication fails while using the same email & password I can log in. Do you have any idea why? The error is `ssmtp: Authorization failed (535 5.7.1 http://support.google.com/mail/bin/answer.py?answer=14257 nh8sm37308607pbc.60)` – Nam G VU Jun 22 '12 at 01:40
Did you try this? http://www.google.com/accounts/DisplayUnlockCaptcha – Radius Jun 22 '12 at 03:38
@Andres Yes I did. But still the authentication still fails – Nam G VU Jun 22 '12 at 04:39

How can I configure my server to notify me whenever it is remotely accessed via ssh?

4 Answers4