Send email if user accesses the server via ssh

Solution 1

To me the question is still unclear, so I try to answer the question contained in the first paragraph. How to log SSH logins?

I will also limit my answer to all *nix systems with PAM support. This is a relevant point, because you do not limit the scope of your question by giving a particular OS.

Okay, here's what I used in the past: sshrc. If you add a file named that in /etc/ssh (location may vary!), it will be executed by interactive (i.e. with shell) SSH connections.

Downside here is that you won't get informed about the stuff that is also relevant, such as SFTP (sftp-internal subsystem) connections.

However, we have an inroute here.

We can use PAM with pam_exec.so to our advantage and limit its effect to SSH by adding this to /etc/pam.d/sshd (for me it's the last non-comment line):

session    optional     pam_exec.so stdout /etc/your_email_script.sh

This will ensure that the script gets run as a privileged user (relevant if you prefer to call the sendmail binary to send off the mail) and that there is hardly anything the user can do to avoid this script being run. You can effectively limit access to that script to only root.

The part with optional you should adjust if needed. Relevant reading: man pam_exec, man pam.conf, man pam.d.

You may also want to play with how early on you want to execute your script.

What you see to miss is. You have so many other ways of locking down the server. For starters: don't allow passwords. Stick to key-only authentication. Make sure that people with only SFTP access do not have additional access:

Match group sftponly
        ChrootDirectory /home
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
        PasswordAuthentication no

will let members of group sftponly only use SFTP and no port forwarding etc, and limit the scope to /home (file/folder permissions do the rest).

AllowGroups ssh-users

will only let members of a group ssh-users even log on via SSH. That is, you can limit SSH logon to a subset of your user base.

PermitRootLogin no

should be set and relevant users be made sudoers instead.

PasswordAuthentication no
PubkeyAuthentication yes

should ensure that password over which you have limited control cannot be used to log on.

AuthorizedKeysFile     /some/protected/folder/.ssh/authorized_keys

can ensure that users aren't allowed to manage their authorized_keys file, but requires you to do it on their behalf.

Solution 2

You can do this by (carefully) editing /etc/pam.d/sshd and adding the pam_exec module into the stack. This module can be used to call an external program - such as your script - when someone has successfully started an ssh session.

Let me know if you need "how to" instructions and I'll update my answer to include them for a Debian-based system. (Other distributions have slightly different PAM stacks, so you would have to interpret my instructions rather than follow them blindly.)

Solution 3

Try this:

#!/bin/bash

if [ ! $(whoami) == root ] ; then
echo "Login on $(hostname) at $(date +%Y-%m-%d +%H:%M)"
echo "User: "$(whoami)
echo
id
echo
finger
fi

Related videos on Youtube

06 : 04

Learn SSH In 6 Minutes - Beginners Guide to SSH Tutorial

codebubb

291

31 : 27

How to Setup Nginx Reverse Proxy for Node.js Application

Coding Reflections

32

09 : 56

Linux: Access one Server from Another Server using SSH command

Tech Bites by Kishore

18

58 : 31

Creating a Highly Available website with ALB and EC2

AWS-PTA Meetup

14

04 : 56

How to Access to Your SiteGround Website Directory via SSH using PuTTY

Nerdynaut

4

10 : 19

Allow Or Deny Selected Users/Groups To Login Via SSH in Linux || Nehra Classes

Nehra Classes

1

03 : 16

Unix & Linux: Send email if user accesses the server via ssh (3 Solutions!!)

Roel Van de Paar

0

Author by

rubo77

SCHWUPPS-DI-WUPPS

Updated on September 18, 2022