Script send email to admin warning ssh login

by Daniel Pham
Published: Updated:

If you usually work with Linux systems, you will need to be aware of security issues with ssh.

The purpose of the script

The following script is written for the CentOS operating system, the purpose of the script is to check the log file for security at regular intervals and email the administrator every time a user makes a successful ssh connection.

#!/bin/bash
# Script by: WriteBash.com
# Script date: 20-12-2017
# Script version: 1.0
# Script use to send an email to administrator everytime an user login ssh successfully.


# Define URL to log file
define_log () {
   LOG_FILE="/var/log/secure"
   FOLDER="/opt/scripts/do-not-remove"
   NUMBER="/opt/scripts/do-not-remove/number_line_ssh.txt"
}

# Define some temp files, used to store temporary log information
define_tmp () {
   TEMP_LOG="/tmp/ssh_temp_log.txt"
   GREP="/tmp/ssh_grep_temp.txt"
}

# Declare some basic information about the server
server_info () {
   SERVER=`hostname | awk -F'.' '{print $1}'`
   DATE=`date`
}

# Check the "filenumber_line_ssh.txt" is exists or not, otherwise create a new file
check_folder () {
   if [[ -d $FOLDER ]]; then
      if [[ ! -s $NUMBER ]]; then
         touch $NUMBER
         echo 0 > $NUMBER
      fi
   else
      mkdir -p $FOLDER
      touch $NUMBER
      echo 0 > $NUMBER
   fi
}

# Function get ssh log for 1 minutes
get_log () {
   NUM=`cat $NUMBER`
   SUM=`expr "$NUM" + 1`
   tail -n +"$SUM" $LOG_FILE > $TEMP_LOG
   echo `wc -l < $LOG_FILE` > $NUMBER
}

# Function send an email to administrator
send_mail () {
   SSH_U=$1
   SSH_F=$2
   SSH_T=$3
   mailx -v -r "[email protected]" -s "SSH ALERT: [ $SERVER ] " -S smtp="192.168.1.10:25" -S smtp-auth=login -S smtp-auth-user="[email protected]" -S smtp-auth-password="yourpassword" -S ssl-verify=ignore [email protected] <<END_OF_MAIL
-----------------------------------------
SERVER: $(hostname)
DATE: $DATE
-----------------------------------------

USER: $SSH_U
SSH FROM: $SSH_F
TIME SSH: $SSH_T
-----------------------------------------
END_OF_MAIL
}

# Function process the temp log
process_log () {
   cat $TEMP_LOG | grep "Accepted password" > $GREP
   if [[ -s $GREP ]]; then
      while read -r line
      do
         TIME=`echo $line | awk '{print $3 "-" $2 "-" $1}'`
         USER=`echo $line | awk '{print $9}'`
         FROM=`echo $line | awk '{print $11}'`
         send_mail $USER $FROM $TIME
      done < "$GREP"
   else
      delete_tmp
      exit
   fi
}

# Function delete temp files everytime excute script
delete_tmp () {
   rm -f $TEMP_LOG
   rm -f $GREP
}

# Main function
main () {
   define_log
   define_tmp
   server_info
   check_folder
   get_log
   process_log
   delete_tmp
}
main

exit

You can download the script here.

There are some values that you have to replace with your system informations.

  • [email protected]: The system email account you use to email the administrator.
  • 192.168.1.10: Your mail server’s IP.
  • yourpassword: Password of the account used to send email.
  • [email protected]: The email account you use to receive a warning email.

Recommended Reading: Script auto login ssh.

Use script

1. Create a folder containing this script (or place it wherever you feel comfortable):

mkdir /opt/scripts
chmod 700 /opt/scripts

2. Create the ssh_alert.sh file and copy the script above into that file.

3. Grant permission to execute script.

chmod 700 /opt/scripts/ssh_alert.sh

4. Set the cron tab to execute scripts every one minute.

crontab -l | { cat; echo "# Check secure log every 1 minute and send an alert email"; } | crontab -
crontab -l | { cat; echo "*/1 * * * * /opt/scripts/ssh_alert.sh"; } | crontab -
set crontab to alert script
Set crontab to alert script

Result of ssh alert script

If you perform the above steps correctly, whenever there is a successful ssh user on your server, there will be an email sent to you as shown below.

email sent to admin
Email sent to admin

Conclusion

With this simple script, hope it can be helpful to you in the operation of linux servers.

(This is an article from my old blog that has been inactive for a long time, I don’t want to throw it away so I will keep it and hope it helps someone).

0 0 votes
Article Rating

You may also like

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

DevOps Lite is a personal blog specializing in technology with main topics about DevOps, DevSecOps, SRE and System Administrator. Articles are shared for free and contributed to the community.

SUPPORT US

FOLLOW US

Subscribe my Newsletter for new blog posts. Stay updated from your inbox!

© 2021-2024 DevOpsLite.com – All rights reserved.

Please write sources “DevOpsLite.com” when using articles from this website.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

0
Would love your thoughts, please comment.x
()
x

Adblock Detected

Please support us by disabling your AdBlocker extension from your browsers for our website.