Want to be notified instantly when someone logs into your server as root? No problem. there was recently a discussion over on the vps.net forums after an incident where a user had had several of there servers logged into as root by an unknown source (since resolved) a helpful user (R4Z0R49) posted this helpful guide and I have cleaned it up and added some further notes and caveats.
While I wouldn’t recommend allowing root logins over SSH and prefer to setup non root accounts with sudo access, sometimes for one reason or another, root over ssh is needed. This guide should also log su logins to root as well, because by using su you login to that users enviroment and it loads the users environment which then calls the same file that loads stuff like variables and paths when you login over ssh so you should also get an email in this instance too.
Check out this nice tutorial on email notification for root logins. Keeping track of who logs into your server and when is very important, especially when you’re dealing with the super user account. We recommend that you use an email address not hosted on the server your sending the alert from.
To carry out this tutorial you need to have root level access to your server in some form or another, I assume you have already logged in as root or otherwise escalated your privileges to root level, I will also assume you use the nano text editor, feel free to use any other editor you are comfortable with such as vi or otherwise.
It is recommended to have mailx installed to send the emails, depending on your system you can install it with either one of the following commands on debian/ubuntu (apt) or centos(yum) systems respectively.
apt-get install mailx
yum install mailx
Now we need to make sure we are in root’s home directory (this should be the same on all linux systems)
We now want to edit the .bashrc file to add some code to do the emailing this file is the environment file and pretty much all servers use bash for the root user by default. This file will set local environment variables for the user and can also perform some other cool login tasks like we are going to do below – NOTE: .bashrc is a hidden file so you wont normally see this by doing a normal ls command in this directory, if you want to see it on ls you need to use the -a flag to view all files.
At the bottom of the file we want to add the following line, replacing YourserverName with a suitable name for your server (I find the system hostname is often the easiest to distinguish particularly if you have several servers) and change email@example.com to a suitable email address – I would recommend using an email address not hosted on the server as it could be intercepted by someone if they were aware of such a system being in place (now is a great time to use google apps!)
[bash]echo ‘ALERT – Root Shell Access (YourserverName) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d'(‘ -f2 | cut -d’)’ -f1`” firstname.lastname@example.org[/bash]
Save and exit the file by pressing Crtl + X and then Y, then hitting Enter
Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert a few minutes afterwards.
You can do this for any user you want to get email alerts on login for, assuming they are assigned the bash shell then edit there .bashrc file which should be found in /home/username/.bashrc.
If you want to do this for all users you have 2 options. either edit /etc/profile instead of .bashrc or install CSF & LFD and set it up as it has an SSH and SU login detection system that will email upon login without having to make these profile changes. I shall put up a post on how to install and setup CSF & LFD in a further blog post.