Tag: SSH

Email notification about each SSH connection

Here are a few ways to receive e-mail notifications about someone connecting to the server via SSH.

FIRST METHOD:
With a text editor, for example nano, open the file /etc/ssh/sshrc (in the nano editor CTRL+X to exit, y/n and Enter to save or discard changes):

sudo nano /etc/ssh/sshrc

And add the following code to it:

ip=`echo $SSH_CONNECTION | cut -d " " -f 1`
logger -t ssh-wrapper $USER login from $ip
(echo "Subject:login($ip) on server"; echo "User $USER just logged in from $ip";) | sendmail -f server@example.com -t your-email@example.com &

You do not need to restart SSH, the notifications should already come in when connecting.

SECOND METHOD:
Add the specified lines to the config /etc/rsyslog.conf (before each line commented the essence, this code will send messages about failed connections):

# Connect the messaging module
$ModLoad ommail
# Specify the address of the mail server
$ActionMailSMTPServer mail.domain.com
# Specify the email from which messages will be sent
$ActionMailFrom rsyslog@domain.com
# Specify the email to which messages will be sent
$ActionMailTo test@domain.com
# Specify the subject of the message
$template mailSubject,"SSH Invalid User %hostname%"
# Specify the content of the message
$template mailBody,"RSYSLOG\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
# Specify in seconds how often messages can be sent
$ActionExecOnlyOnceEveryInterval 10
# If the log contains the characters in parentheses, then we send a message
if $msg contains 'Invalid user' then :ommail:;mailBody

The same way of sending via rsyslog, but notifications of successful connections are sent (code without comments as above):

$ActionMailSMTPServer mail.domain.com
$ActionMailFrom rsyslog@domain.com
$ActionMailTo test@domain.com
$template mailSubject,"SSH Accepted pass %hostname%"
$template mailBody,"RSYSLOG\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
$ActionExecOnlyOnceEveryInterval 10
if $msg contains 'Accepted password' then :ommail:;mailBody

As a result, if the connection to the SSH server is successful or not successful, messages will be sent to the e-mail. In a similar way, you can announce to email and other events that are logged via rsyslog.

Monitoring the number of Ubiquiti sector clients by SSH from Zabbix

On the test I’ll give an example of getting the number of clients connected to the usual sectoral antenna Ubiquiti AirMax Rocket M5.
We will receive the data via SSH.

To test once we connect to the device (the first time when connecting, type yes and press enter):

sudo -u zabbix ssh -p 22 admin@192.168.0.55

Now in Zabbix we add the data element to the template or host, for example with the name “Template Ubiquiti Rocket M5 Sector”:

Name: any
Type: SSH agent
Key: ssh.run[clients,,22,utf8]
Authentication method: Password
Username: NAME
Password: PASSWORD
Executed script: the command executed on the device (see below)

Example of the command displayed the number of connected clients:

wstalist |grep "mac" |wc -l

Accordingly, we create a graph for the data element, as well as the trigger:

Name: On the sector antenna {HOST.NAME} > 40 clients
Expression: {Template Ubiquiti Rocket M5 Sector:ssh.run[clients,,22,utff8].last(#1)}>40

See also:
Configuring SSH checks in Zabbix

How to change the SSH port in Ubuntu

On the test, I change the SSH port in Ubuntu Server 14.0.4 LTS and Ubuntu Server 16.0.4 LTS.

Open the SSH configuration for example in the nano text editor (in nano, press Ctrl+X to exit, y/n to save or cancel changes):

sudo nano /etc/ssh/sshd_config

Find the line “Port 22” and change it for example to “Port 58222“.

To apply the changes, restart ssh (on different systems it can reboot in different ways, so here is a list of possible commands):

sudo service ssh restart
sudo /etc/init.d/ssh restart
sudo /etc/init.d/sshd restart

After restarting SSH, it will be available on the new port, and the current session on the old one will remain active, so without disconnecting for testing, we will try to connect to the new port, if not, then the firewall is working in the system and you need to allow it in the system, for example in iptables this is done this way (where 58222 is our new port):

sudo iptables -A INPUT -p tcp --dport 58222 -j ACCEPT

You can allow iptables to connect to SSH only from the specified range of IP addresses:

sudo iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 58222 -j ACCEPT

If everything is ok, we connect through a new port and can delete the old iptables rule, for example:

sudo iptables -D INPUT -p tcp --dport 22 -j ACCEPT

An example of a command to connect from Linux to SSH on a non-standard port:

ssh -p 58222 user@192.168.0.2

View the system on which port and on what network interfaces SSH works like this:

netstat -tulpan | grep ssh

Configuring SSH checks in Zabbix

It took somehow some Linux servers to configure SSH checks to not install Zabbix-agent on them.
Zabbix-server itself is installed on Ubuntu Server.

Below in order I will describe how to configure SSH checks in Zabbix.

Authorization for SSH will be configured by key instead of password, for this we stop zabbix-agent and zabbix-server:

sudo service zabbix-agent stop
sudo service zabbix-server stop

Create a Zabbix user home directory (for storing ssh keys):

sudo usermod -m -d /home/zabbix zabbix
sudo chown zabbix:zabbix /home/zabbix
sudo chmod 700 /home/zabbix

Run back zabbix-agent and zabbix-server:

sudo service zabbix-agent start
sudo service zabbix-server start

Open the configuration file /etc/zabbix/zabbix_server.conf (in the nano editor, press Ctrl+O and Enter means save, Ctrl+X to exit):

sudo nano /etc/zabbix/zabbix_server.conf

Uncomment the string SSHKeyLocation and specify the path to the directory with the keys:

SSHKeyLocation=/home/zabbix/.ssh

Restart zabbix-server:

sudo service zabbix-server restart

Generate the ssh key:

sudo -u zabbix ssh-keygen -t rsa

Press Enter if the path is /home/zabbix/.ssh/id_rsa
On the offer to encrypt the key file, press Enter to not encrypt it or enter twice any password (it will encrypt the key file and you will have to specify it when connecting it)

Copy the generated key to the server we will be watching:

sudo -u zabbix ssh-copy-id -i /home/zabbix/.ssh/id_rsa.pub -p 22 root@192.168.0.55

If an error occurs while copying the key, you can manually copy the line from id_rsa.pub to the remote server in the authorized_keys file.

And we will try to connect to the remote server without entering the password with the command:

sudo -u zabbix ssh -p 22 root@192.168.0.55

Now in Zabbix we add the data element to the template or host:
Name: any
Type: SSH agent
Key: ssh.run[description,ip,port,encoding] (eg ssh.run[cpu,192.168.0.55,22,utf8]
Authentication method: Public key
User name (on remote host): root
Public key file: id_rsa.pub
Private key file: id_rsa
Phrase key password: leave blank if you did not encrypt the key with a password
Executed script: command running on a remote server, examples below

Below is an example of commands for Linux that you can execute and get various information.
CPU load for 1min / 5min / 15min:

cat /proc/loadavg |cut -d " " -f1
cat /proc/loadavg |cut -d " " -f2
cat /proc/loadavg |cut -d " " -f3

Number of currently running processes of the specified program:

pgrep apache2|wc -l
pgrep -c sshd

Free space at the mount point “/” (in megabytes):

df -m|grep "/$"|awk '{print $4}'

Occupied space at the mount point “/” (in percent):

df|grep "/$"|awk '{print $5}'|tr -d "%"

Received byte on the network interface eth0:

cat /proc/net/dev|grep eth0|awk '{print $2}'

Bytes sent to the network interface eth0:

cat /proc/net/dev|grep eth0|awk '{print $10}'

Amount of free RAM:

free |grep "Memory:"|awk '{print $4}'
free |grep "Mem:"|awk '{print $4}'

See also:
Connect to SSH using the keys