Email notification about each SSH connection

Here are a few ways to receive e-mail notifications about someone connecting to the server via SSH.

FIRST METHOD:
With a text editor, for example nano, open the file /etc/ssh/sshrc (in the nano editor CTRL+X to exit, y/n and Enter to save or discard changes):

sudo nano /etc/ssh/sshrc

And add the following code to it:

ip=`echo $SSH_CONNECTION | cut -d " " -f 1`
logger -t ssh-wrapper $USER login from $ip
(echo "Subject:login($ip) on server"; echo "User $USER just logged in from $ip";) | sendmail -f server@example.com -t your-email@example.com &

You do not need to restart SSH, the notifications should already come in when connecting.

SECOND METHOD:
Add the specified lines to the config /etc/rsyslog.conf (before each line commented the essence, this code will send messages about failed connections):

# Connect the messaging module
$ModLoad ommail
# Specify the address of the mail server
$ActionMailSMTPServer mail.domain.com
# Specify the email from which messages will be sent
$ActionMailFrom rsyslog@domain.com
# Specify the email to which messages will be sent
$ActionMailTo test@domain.com
# Specify the subject of the message
$template mailSubject,"SSH Invalid User %hostname%"
# Specify the content of the message
$template mailBody,"RSYSLOG\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
# Specify in seconds how often messages can be sent
$ActionExecOnlyOnceEveryInterval 10
# If the log contains the characters in parentheses, then we send a message
if $msg contains 'Invalid user' then :ommail:;mailBody

The same way of sending via rsyslog, but notifications of successful connections are sent (code without comments as above):

$ActionMailSMTPServer mail.domain.com
$ActionMailFrom rsyslog@domain.com
$ActionMailTo test@domain.com
$template mailSubject,"SSH Accepted pass %hostname%"
$template mailBody,"RSYSLOG\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
$ActionExecOnlyOnceEveryInterval 10
if $msg contains 'Accepted password' then :ommail:;mailBody

As a result, if the connection to the SSH server is successful or not successful, messages will be sent to the e-mail. In a similar way, you can announce to email and other events that are logged via rsyslog.

Leave a comment

Leave a Reply

Discover more from IT Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading