Ssh – Sending automatic mail on ssh-login fails

emailpamssh

I'm trying to let my server send me automatically an email on ssh-login.

What I've done:

  1. Created a login-notify.sh file (user root, group root, chmod 755) and placed it inside /etc/ssh/

    #!/bin/sh 
if [ "$PAM_TYPE" != "close_session" ]; then
    # assembling my variable $TEXT ...
echo $TEXT | mail -r "root@.... " - s "Subject line" root

  2. Modified /etc/pam.d/sshd: 

    echo "session required pam_exec.so seteuid /etc/ssh/login-notify.sh" | sudo tee -a /etc/pam.d/sshd

  3. restarted sshd server and even rebooted the machine

  4. Manually fired up /etc/ssh/login-notify.sh -> mail successful sent

  5. Logged in through ssh -> no mail has been sent

Addition steps / Information

  1. for sending emails from command line I use ssmtp and a gmail-account

  2. instead of sending a mail I've tried to append a string to a file and see if it works (echo "ssh login > /home/user/ssh-test) -> no luck…

  3. server only accepts public/key authentication for ssh-logins

  4. /var/log/syslog provides no useful information:

    Dec 27 14:20:51 srv1 fwknopd[2155]: Removed rule 1 from FWKNOP_INPUT with expire time of 1419686451 
Dec 27 14:41:48 srv1 fwknopd[2155]: (stanza #1) SPA Packet from IP: xxx.xxx.xxx.xxx received with Access source match 
Dec 27 14:41:48 srv1 fwknopd[2155]: [xxx.xxx.xxx.xxx] (stanza #1) Incoming SPA data signed by 'XXXXXX'. 
Dec 27 14:41:48 srv1 fwknopd[2155]: Added Rule to FWKNOP_INPUT for xxx.xxx.xxx.xxx, tcp/xxx expires at 1419687738

    After this line I logged in through ssh… no additional text was written to /var/log/syslog

Best Answer

hm, install csf firewall or OSSEC, with built in functionality you need... according to your question subject line.

CSF Firewall:

lfd on cluster-master-acl: SSH login alert for user root from 86.234.45.45 (IE/Ireland/cm-86.234.45.045.ntlworld.ie)

Time:    Fri Dec 26 13:59:51 2014 +0000
IP:      86.234.45.45 (IE/Ireland/cm-86.234.45.045.ntlworld.ie)
Account: root
Method:  publickey authentication

.

lfd on web1: SU login alert - Successful login from admin(uid=0) to root
Time:    Sat Dec 27 11:45:26 2014 -0500
From:    admin(uid=0)
To:      root
Status:  Successful login

OSSEC:

OSSEC HIDS Notification.
2014 Dec 28 10:58:53

Received From: (web-node-3) 138.71.183.65->/var/log/secure
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Dec 28 05:58:49 ID13412 sudo: pam_unix(sudo:auth): conversation failed

and so on in fact you can modify alerts like you need them.

http://configserver.com/cp/csf.html
http://www.ossec.net/

Related Topic