How can I setup monit to notify me about new remote SSH sessions that originate from outside one specific subnet?
I've considered logging connection attempts as part of a ~/.bashrc
script but I'm not sure if this is possible because I'm uncertain of a few implementation details.
Specifically I need to know how to do the following things in the ~/bashrc
script:
- How to get the IP address and subnet associated with a new connection
- How to check whether the the IP is outside the specific subnet I've selected
I imagine the script might look something like this psudocode:
# check that this is an SSH connection # check whether the SSH connection originates outside the selected subnet echo "New connection from $SSH_CLIENT" > /var/log/_ssh.log
Monit recipe:
check file _ssh with path /var/log/_ssh.log if failed checksum then alert
Best Answer
You can't do this logging from
~/.bashrc
or similar, because it's only executed for some interactive sessions, not if someone doesssh yourserver mycommand
,sftp yourserver
, etc.All ssh login attempts, failed or successful, are logged through syslog with the
auth
facility. The log message includes the source IP address, the authentication method and whether the authentication suceeded. I think your best option is to use some log monitoring software.I don't know monit, but it looks like its job is to watch sshd and restart it if it dies, which is a different concern.