Send email when anyone logs on
Solution 1
You should use a solucion for log monitoring like OSSEC, it will look on your logs for security information (including login, sudo, etc.) and send you an e-mail when the alert is important.
It's easy to configure and you can raise the alert level for e-mails or include an alert-by-email
on the specific alert.
It can also do configurable active-response, blocking IPs and denying access for a period of time by default.
Solution 2
Slight change of adams solution which doesn't break if root is logged into more than one terminals:
login_info="$(who | head -n1 | cut -d'(' -f2 | cut -d')' -f1)"
message="$(
printf "ALERT - Root Shell Access (%s) on:\n" "$(hostname)"
date
echo
who
)"
mail -s "Alert: Root Access from ${login_info}" admin <<< "${message}"
Solution 3
you could put this in your .bashrc
echo 'ALERT - Root Shell Access to' $(hostname) 'on:' `date` `who` \
| mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" YOUREMAIL
Solution 4
I published a bash script on Github Gist that does what you're looking for. It will email the system administrator anytime a user logs in from a new IP address. I use the script scrutinize logins on our tightly controlled production systems. If a login is compromised, we'd get notified about the unusual login location and have a chance to lock them out of the system before they cause serious damage.
To install the script, just update it with your sysadmin email, and copy it into /etc/profile.d/
.
Solution 5
Be aware though that if your machine has been hacked it may be a trivial task for the hacker - assuming it's not a script kiddie we're talking about there - to disable the email alerting function.
Related videos on Youtube
LarryK
25+ years of tech experience as a developer, product manager, and developer advocate at Sun Microsystems, Xerox Palo Alto, DocuSign and other companies.
Updated on September 17, 2022Comments
-
LarryK over 1 year
My CentOS/RHEL system may have been hacked, I'm not sure. But I'm playing it safe by creating a new slice from scratch.
I've installed tripwire, but I'd also like to be emailed when anyone logs in. I don't want to wait for the daily logwatch report, I want an immediate email when anyone logs in. Preferably with their ip address too.
Suggestions?
Similar to Send email alert on log file entry? but maybe someone has a technique for this specific issue.
Thanks,
Larry
Added: http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1249534744623+28353475&threadId=698232 has some ideas
-
Snowlockk about 12 yearsPlease nuke it from orbit. i.stack.imgur.com/cFSC5.png
-
-
LarryK almost 15 yearsYes, that's why I want an email sent as soon as anyone logs in. -- The server doesn't get that many logins. I figure that way it will lower the odds of someone being able to prevent the email going out about their initial breakin (if via a login shell).
-
HBruijn almost 6 yearsPlease try to not copy-and-paste your own answers. If you feel that questions are essentially the same and the same solution applies to both the preferred method is to mark one question as duplicate of the other.
-
Elliot B. almost 6 years@HBruijn I considered that approach. However, in this case, the two questions are similar, but not duplicate -- yet the same answer still applies to both.