Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
mini-HOWTO: Receive mail alerts on SSH login
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message

Joined: 31 Dec 2004
Posts: 2676
Location: here, there or in transit

PostPosted: Fri Oct 21, 2005 4:28 am    Post subject: mini-HOWTO: Receive mail alerts on SSH login Reply with quote

This guide illustrates one way to configure an SSH daemon to send email alerts on any successful login. All session types are reported: shell interactive, single-command and subsystem (sftp).

There are many tools and techniques one can use to keep abreast of connection activity on an unattended server (TCP wrappers, swatch, etc.). I devised this simple technique instead, in part because it required no packages beyond what I already had installed. On my systems, I use it to send an SMS alert to my mobile phone, the moment anyone logs in--just in case it isn't me. :wink: (If it isn't, I have a fighting chance to kick off the intruder and shut down the machine.)

I assume you have the following packages installed and operating:
  • OpenSSH (net-misc/openssh).
  • The mailx client (mail-client/mailx), to send mail from shell scripts and the command line.
  • An MTA (mail transfer agent) for mailx to use, such as Postfix or Sendmail.
  • Optional: X Window System. Not required, but you need to be aware of it when configuring SSH.
If not, plenty of resources exist to help you, including these excellent forums. Setting up SSH and mail services is beyond the scope of this guide, which only covers connecting the two.

How It Works
SSH runs the script in /etc/ssh/sshrc, if it exists, after loading a user's environment but before starting their shell or command. This file provides for site-wide initializations needed "before the user's home directory becomes accessible" (man 8 sshd). Here, I use it to send mail with the details of the login.

What To Do
1. Become/login as root.
2. Create /etc/ssh/sshrc as follows. If the file already exists, don't overwrite it--simply add the commands following the "Send a brief alert ..." comment, at an appropriate point.
# Set XAuthority using protocol and X cookie from stdin
# (example from man 8 sshd)
# You should omit this section if X (and hence xauth) is not installed.
if read proto cookie && [ -n "$DISPLAY" ]; then
   if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
      # X11UseLocalhost=yes
      echo add unix:`echo $DISPLAY |
      cut -c11-` $proto $cookie
      # X11UseLocalhost=no
      echo add $DISPLAY $proto $cookie
   fi | xauth -q -

# Send a brief alert with connection details
where=`echo $SSH_CONNECTION|cut -f1 -d' '|cut -f4 -d:`
if [ -z "$SSH_TTY" ] ; then
   what="Connect by $USER"
   what="Login by $USER on $SSH_TTY"

while read address mode
        if [ -z "$address" -o "${address:0:1}" = "#" ] ; then continue; fi
        if [ "x$mode" = "xcc" -o "x$mode" = "xCC" ] ; then
        elif [ "x$mode" = "xbcc" -o "x$mode" = "xBCC" ] ; then
done </etc/ssh/notify

cc_to=${cc_to:+"-c $cc_to"}
bcc_to=${bcc_to:+"-b $bcc_to"}
mail ${cc_to} ${bcc_to} -s "SSH Alert" ${mailto} >&2 <<-EOM
   ${what} from ${where} at ${when}

This file must be readable by all users (chmod 644 /etc/ssh/sshrc) since it is executed with the connecting user's privileges. It is not necessary, nor recommended, to set execute permission on the file. Recipient addresses for alerts reside in another file for ease of maintenance.

The above is bash syntax, and assumes /bin/sh is equivalent to /bin/bash on your system (SSH executes this file using /bin/sh). If that is not the case, I am afraid you are on your own--but please feel free to contribute an equivalent for another shell! For details on the bash tricks used, refer to "Parameter Expansion" in the bash manual page.

3. Create the recipient list file, /etc/ssh/notify. This also must be world-readable (chmod 644 /etc/ssh/notify). Replace the examples with the address(es) you want to notify when a client logs in.
# Recipient list for SSH login alerts
# Format:
#   address[,address] [cc|bcc]
# Multiple addresses may be on separate lines or separated by commas.
# The "cc" and "bcc" options mark address(es) as "Cc:" or "Bcc:" recipients,
# respectively.
# Blank lines and lines with # in column 1 are ignored.
root@localhost, bcc

When any recipients are SMS addresses, you may want to avoid the CC option in favor of BCC. Blind-copy recipients do not appear in the message sent to the primary recipient(s), which helps keep the message short--important for SMS.

That's it. It is not necessary to restart sshd.

Login to the machine via SSH using any means you like (ssh, PuTTY, sftp, etc.). Within a few moments, the recipients listed in /etc/ssh/notify should receive a message similar to the following:
Subject: SSH Alert
Date: Wed, 19 Oct 2005 09:46:34 -0400 (EDT)
From: bandit@localhost.localdomain (Bandit)
Login by bandit on /dev/pts/0 from at Wed Oct 19 09:46:34 EDT 2005

Note that SMS messages may not arrive for several minutes, depending on your provider's network and your own MTA setup. If this were an actual intrusion, you'd know who to pursue and where they came in--with luck, in time to slam the door on the nasty little bugger. :twisted:

Things to check if you don't get any alerts:

1. Ensure /etc/ssh/sshrc and /etc/ssh/notify are world-readable: chmod 644 /etc/ssh/sshrc /etc/ssh/notify
2. Make sure mail is working: echo hello? | mail -s Test you@your.domain (replace you@your.domain with one of your real, working email addresses). If you don't receive the test message, troubleshoot the mail server and client setup.
3. Double-check the addresses in /etc/ssh/notify. In particular, note that addresses can be given one per line, or in comma-separated lists, or both--but whitespace-separated lists will not work. That is:
GOOD: you@localhost,me@myhost
  OR: you@localhost

BAD: you@localhost me@myhost

In the BAD example, any addresses after the first space would be silently ignored. The script does no address checks of any kind, so beware of typing mistakes.
4. Review your MTA logs for bounce reports or other complaints.
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others.
Back to top
View user's profile Send private message

Joined: 30 Jun 2005
Posts: 476
Location: Lund, Sweden

PostPosted: Fri Oct 21, 2005 6:38 pm    Post subject: Reply with quote

Thanks, just what I've been looking for!
Back to top
View user's profile Send private message

Joined: 09 Nov 2005
Posts: 16
Location: Chicago

PostPosted: Wed Nov 09, 2005 5:46 pm    Post subject: Reply with quote

I don't have SSH_CONNECTION set for some reason, so I modified the script to use SSH_CLIENT.

where=`echo $SSH_CLIENT | cut -f1 -d' '`

Thanks for this useful script!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum