Monitor all login attempts
Solution 1
Don't reinvent the wheel, let rsyslog
do everything for you. It has the ability to send emails when patterns are matched in syslog messages before they ever hit a file.
Set your email address and SMTP server in the following and put it in your /etc/rsyslog.conf
or drop it in /etc/rsyslog.d/
and restart rsyslog
$ModLoad ommail
$ActionMailSMTPServer localhost
$ActionMailFrom [email protected]
$ActionMailTo [email protected]
$template mailSubject,"Login Alert on %hostname%"
$template mailBody,"\n\n%msg%"
$ActionMailSubject mailSubject
$ActionExecOnlyOnceEveryInterval 1
# the if ... then ... mailBody mus be on one line!
if $msg contains 'session opened for user' then :ommail:;mailBody
This will fire off an email when rsyslog
matches the string session opened for user
in
a message.
You can look in /var/log/auth.log
for messages from sshd
to see what else you can use as patterns.
Source: rsyslog ommail
Solution 2
First, you should not rely on user's .profile because they can change it. If it's really your server, you could:
- test for entries in auth.log, utmp or so periodically (or triggered by inotify)
- write a wrapper for
/bin/login
, that does your things and then executes the real/bin/login
. (I am not quite sure if e.g. ssh executes/bin/login
, but I expect so.) But I can't recommend that - it's too dangerous.
Solution 3
/var/log/auth.log
Keep track of attempts to your system
cat /var/log/auth.log grep sshd.\*Failed
this can grep failed attempts, also timestamps is available so you can tune it to your script, also maybe with
tail -f /var/log/auth.log
you can trace input all the time and then do some regexp.
Solution 4
I like @creek's solution from above, but with one small change:
if $msg contains 'session opened for user' then :ommail:;mailBody`
to
if $msg contains 'sshd:session' then :ommail:;mailBody`
If you simply use "session opened for user" you will get a message every time your cronjobs fire. For me at least, I just want to monitor SSH. You could adjust the conditional above to suit any other need.
Solution 5
Following @Creek answer; With rsyslog, to match multiple users (not the best implementation and can be probably replaced with regex, but it works)
$ModLoad ommail
$ActionMailSMTPServer localhost
$ActionMailFrom [email protected]
$ActionMailTo [email protected]
$template mailSubject,"Login alert on %hostname%"
# mailBody must be on one line!
$template mailBody,"\n\n%msg%"
$ActionMailSubject mailSubject
$ActionExecOnlyOnceEveryInterval 1
if $msg contains 'session opened for' then {
if $msg contains 'USER1' then :ommail:;mailBody
# Repetition required (did not investigate why)
$ActionMailSMTPServer localhost
$ActionMailFrom [email protected]
$ActionMailTo [email protected]
$template mailSubject,"Login alert on %hostname%"
$template mailBody,"\n\n%msg%"
$ActionMailSubject mailSubject
$ActionExecOnlyOnceEveryInterval 1
if $msg contains 'USER2' then :ommail:;mailBody
}
Related videos on Youtube
Aditi Rawat
http://careers.stackoverflow.com/pablofph from numpy import * n = 20 a = transpose(tril(ones((n+1,n+1)))) b = copy(a) for i in xrange(n): b = dot(b,a) print(b[0,n])
Updated on September 18, 2022Comments
-
Aditi Rawat over 1 year
Few weeks ago I thought it would be a good idea to write a script to send me an email whenever some user logs in into my server.
So I came with a perfectly working script
notifyLogin.sh
, then I decided to call it from each user's.bash_login
script.But I discovered that someone could log in in my server using
ssh
-t
switch to select an available shell. For example:ssh user@myserver -t sh
This way,
.bash_login
does not execute, neither does/etc/profile
.Is there any way to call
notifyLogin.sh
independent of shell type at log in? (It should always work) -
Chad K almost 10 yearsThis doesn't answer OP's question about sending an email when someone logs in
-
Stephen Rauch about 7 yearsIf the exact same answer works for different questions, then it is likely the questions are duplicates. In that case you should flag the duplicate question accordingly.
-
Astm over 4 yearsyou can use the this command to get specific day ssh access
sudo cat /var/log/auth.log | grep sshd | grep 'Oct 10'