If you usually work with Linux systems, you will need to be aware of security issues with ssh.
The purpose of the script
Table of Contents
The following script is written for the CentOS operating system, the purpose of the script is to check the log file for security at regular intervals and email the administrator every time a user makes a successful ssh connection.
#!/bin/bash
# Script by: WriteBash.com
# Script date: 20-12-2017
# Script version: 1.0
# Script use to send an email to administrator everytime an user login ssh successfully.
# Define URL to log file
define_log () {
LOG_FILE="/var/log/secure"
FOLDER="/opt/scripts/do-not-remove"
NUMBER="/opt/scripts/do-not-remove/number_line_ssh.txt"
}
# Define some temp files, used to store temporary log information
define_tmp () {
TEMP_LOG="/tmp/ssh_temp_log.txt"
GREP="/tmp/ssh_grep_temp.txt"
}
# Declare some basic information about the server
server_info () {
SERVER=`hostname | awk -F'.' '{print $1}'`
DATE=`date`
}
# Check the "filenumber_line_ssh.txt" is exists or not, otherwise create a new file
check_folder () {
if [[ -d $FOLDER ]]; then
if [[ ! -s $NUMBER ]]; then
touch $NUMBER
echo 0 > $NUMBER
fi
else
mkdir -p $FOLDER
touch $NUMBER
echo 0 > $NUMBER
fi
}
# Function get ssh log for 1 minutes
get_log () {
NUM=`cat $NUMBER`
SUM=`expr "$NUM" + 1`
tail -n +"$SUM" $LOG_FILE > $TEMP_LOG
echo `wc -l < $LOG_FILE` > $NUMBER
}
# Function send an email to administrator
send_mail () {
SSH_U=$1
SSH_F=$2
SSH_T=$3
mailx -v -r "[email protected]" -s "SSH ALERT: [ $SERVER ] " -S smtp="192.168.1.10:25" -S smtp-auth=login -S smtp-auth-user="[email protected]" -S smtp-auth-password="yourpassword" -S ssl-verify=ignore [email protected] <<END_OF_MAIL
-----------------------------------------
SERVER: $(hostname)
DATE: $DATE
-----------------------------------------
USER: $SSH_U
SSH FROM: $SSH_F
TIME SSH: $SSH_T
-----------------------------------------
END_OF_MAIL
}
# Function process the temp log
process_log () {
cat $TEMP_LOG | grep "Accepted password" > $GREP
if [[ -s $GREP ]]; then
while read -r line
do
TIME=`echo $line | awk '{print $3 "-" $2 "-" $1}'`
USER=`echo $line | awk '{print $9}'`
FROM=`echo $line | awk '{print $11}'`
send_mail $USER $FROM $TIME
done < "$GREP"
else
delete_tmp
exit
fi
}
# Function delete temp files everytime excute script
delete_tmp () {
rm -f $TEMP_LOG
rm -f $GREP
}
# Main function
main () {
define_log
define_tmp
server_info
check_folder
get_log
process_log
delete_tmp
}
main
exitYou can download the script here.
There are some values that you have to replace with your system informations.
- [email protected]: The system email account you use to email the administrator.
- 192.168.1.10: Your mail server’s IP.
- yourpassword: Password of the account used to send email.
- [email protected]: The email account you use to receive a warning email.
Recommended Reading: Script auto login ssh.
Use script
1. Create a folder containing this script (or place it wherever you feel comfortable):
mkdir /opt/scripts
chmod 700 /opt/scripts2. Create the ssh_alert.sh file and copy the script above into that file.
3. Grant permission to execute script.
chmod 700 /opt/scripts/ssh_alert.sh4. Set the cron tab to execute scripts every one minute.
crontab -l | { cat; echo "# Check secure log every 1 minute and send an alert email"; } | crontab -
crontab -l | { cat; echo "*/1 * * * * /opt/scripts/ssh_alert.sh"; } | crontab -
Result of ssh alert script
If you perform the above steps correctly, whenever there is a successful ssh user on your server, there will be an email sent to you as shown below.
Conclusion
With this simple script, hope it can be helpful to you in the operation of linux servers.
(This is an article from my old blog that has been inactive for a long time, I don’t want to throw it away so I will keep it and hope it helps someone).
