-3

Send me an e-mail whenever someone logs in via SSH

Talking about this here, is this enough to prevent any damage (or more, being able to limit it through being notified of it) to your server should someone actually manage to log in?

Additional questions:

Are there other ways of intrusion you will not be notified of this way?
Should you log sessions additionally if you do not want to just scrape your whole server the moment someone breaks in?
How do you exactly figure out what made your server insecure?

EDIT:

It seems people have been half-reading the question and therefore giving unfitting answers and downvoting. First, the title has "emergency measure" in it, which means it is a measure for things being already too late. The backup plan IF things go wrong.

Second, "to scrape the entire server the moment someone breaks in" was also implying that. Should someone break in, in this case the entire server probably has to be thrown away and set up completely anew. So I am actually asking how to prevent that and what to do more in the case of an emergency - someone actually broke in.

uncanny
  • 5
  • 3
  • If the attacker is using a script or has their commands ready to go, I doubt you'd be able to log in quickly enough to stop them (even if you're ready to go - what if you're asleep, or busy, or on the toilet?). Have you already done security best practices like forbidding password-based authentication? – ceejayoz Sep 10 '17 at 01:19
  • 1
    If they've logged in then you've already lost your server. It's a bit pointless to send an email **after** the fact. – joeqwerty Sep 10 '17 at 01:26
  • 1
    @joeqwerty I disagree that it's pointless to know the server has been compromised, but it's obviously too late to **prevent** compromise. – Håkan Lindqvist Sep 10 '17 at 01:28
  • Yes, that's what I meant. I worded it wrong. Thanks. – joeqwerty Sep 10 '17 at 02:27
  • @ceejayoz Yes, the server was properly hardened through my best knowledge – uncanny Sep 10 '17 at 02:29
  • @joeqwerty I am very aware of that actually, I probably worded the question wrong which caused a big misunderstanding – uncanny Sep 10 '17 at 02:30

1 Answers1

2

No.

If someone malicious manages to log in they will quite possibly already be causing damage before the email has even been delivered, even more so before it has been noticed and read.

Another problem is that if they were to break in through a vulnerability in some (other?) service rather than properly logging in using ssh, no email would be sent.

Additionally, it sounds like a system which would have an extreme ratio of false alarms, with a high risk of you learning to ignore it. (Crying wolf, as it were.)

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • Thank you for answering one of my questions. What would be the possibilities of getting access through some other service and how could you log against that? – uncanny Sep 10 '17 at 02:21