Results 1 to 11 of 11
  1. #1

    Thumbs up how to automatically send email when someon login server via ROOT?

    Hi guys,

    I want to have an email alert everytime someone login into my server using ROOT user.

    The server is based on Linux system.

    Cheers,
    toby

  2. #2
    Join Date
    Jun 2009
    Location
    Kochi,India
    Posts
    179
    E-mail Alert on Root SSH Login


    1.Login to the server via SSH using root
    2. cd /root
    3. vi .bash_profile
    4.At the end of the file add the following line:

    echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you@yourdomain.com

    Replace YourServerName with the handle for your actual server

    Replace you@yourdomain.com with your actual email address

    Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert a few minutes afterwards.

  3. #3
    Join Date
    Oct 2006
    Location
    /usr/src/linux/
    Posts
    700
    Instead of
    Code:
    `who | cut -d"(" -f2 | cut -d")" -f1`
    You may use
    Code:
    $SSH_CLIENT
    VPSnoc.com offers high quality Xen® OpenVZ & Windows® Virtual Private Servers at affordable prices.
    99.95% Uptime | 24/7/365 Support | Unmetered bandwidth.
    Follow us: twitter.com/VPSnoc

  4. #4
    sorry guys, what does YourServerName means? what name should I use??

    by the way, if I type the above command wrongly, will there be any bad impact on my server? i.e. will my server crash?
    I'm newbie

  5. #5
    Join Date
    Jun 2009
    Location
    Kochi,India
    Posts
    179
    [root@localhost ~]# hostname
    server1.domain.com

    Here server1.domain.com is the name of the server. Like that check your servername with the command hostname. Also this code won't create any problem to your server.
    Last edited by Rekhatitus; 06-08-2009 at 03:15 AM. Reason: crrection

  6. #6
    You can use this firewall....
    ConfigServer Security&Firewall

    It helps to set alerts for numerous security issues...

  7. #7
    I had this script before and it worked but for some reasons it is a long time it is not working any more

    any body know what can interfere?

    did not change any thing

  8. #8
    bump ! please see the above
    what can cause this I do not receive any email alert any more eventhough I used to receive email and I did not change the line
    can other firewalls or any other setting interfere with that?

  9. #9
    Join Date
    Mar 2009
    Location
    Israel
    Posts
    1,212
    anything to show us from /var/log/maillog
    ?
    :-)

  10. #10
    Dear this is what you want?

    Code:
    Jun  7 04:35:22 server dovecot[1870]: pop3-login: Disconnected (no auth attempts): rip=84.74.735.96, lip=261.159.17.520
    Jun  7 20:03:43 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=74.53.235.98, lip=261.159.17.520
    Jun  7 20:47:09 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=74.53.235.98, lip=261.159.17.520
    Jun  7 21:59:58 server spamd[2988]: spamd: connection from localhost.localdomain [127.0.0.1] at port 42570 
    Jun  7 21:59:58 server spamd[2988]: spamd: setuid to george succeeded 
    Jun  7 21:59:58 server spamd[2988]: spamd: processing message <53b412d1ff54e8138db90699711b3b16@localhost.localdomain> for george:503 
    Jun  7 22:00:02 server spamd[2988]: spamd: clean message (5.9/10.0) for george:502 in 3.8 seconds, 5254 bytes. 
    Jun  7 22:00:02 server spamd[2988]: spamd: result: . 5 - AWL,DNS_FROM_AHBL_RHSBL,DNS_FROM_OPENWHOIS,HTML_IMAGE_ONLY_24,HTML_MESSAGE,RCVD_IN_SSC_TRUSTED_COI,URIBL_JP_SURBL scantime=3.8,size=5254,user=george,uid=502,required_score=10.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=42570,mid=<53b412d1ff5yeyey9971y16@localhost.localdomain>,autolearn=no 
    Jun  7 22:00:02 server spamd[2761]: prefork: child states: II 
    Jun  7 22:05:12 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=74.53.235.98, lip=261.159.17.520
    Jun  7 22:50:59 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=74.53.235.98, lip=261.159.17.520
    Jun  7 23:41:16 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=74.53.235.98, lip=261.159.17.520
    Jun  8 15:01:45 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=222.231.57.141, lip=261.159.17.520
    Jun  8 15:01:45 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=222.231.57.141, lip=221.139.14.122
    Jun  8 15:01:45 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=222.231.57.141, lip=241.135.14.123
    Jun  8 20:07:51 server spamd[2988]: spamd: connection from localhost.localdomain [127.0.0.1] at port 42938 
    Jun  8 20:07:51 server spamd[2988]: spamd: setuid to george succeeded 
    Jun  8 20:07:51 server spamd[2988]: spamd: processing message <694c01c3495$yeyed9a8825yy0$6a38093a@SALE2-08> for george:502 
    Jun  8 20:07:56 server spamd[2988]: spamd: identified spam (26.3/10.0) for george:502 in 4.5 seconds, 13360 bytes. 
    Jun  8 20:07:56 server spamd[2988]: spamd: result: Y 26 - DATE_IN_FUTURE_03_06,DNS_FROM_AHBL_RHSBL,DNS_FROM_OPENWHOIS,DYN_RDNS_SHORT_HELO_HTML,HS_INDEX_PARAM,HTML_MESSAGE,L_SPAM_TOOL_13,MIME_HTML_ONLY,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_SSC_TRUSTED_COI,RCVD_IN_XBL,RDNS_DYNAMIC,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_WS_SURBL scantime=4.5,size=13360,user=george,uid=502,required_score=10.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=42938,mid=<694c05333d9a88tee0$tee3a@SALE2-08>,autolearn=spam 
    Jun  8 20:07:56 server spamd[2761]: prefork: child states: II

  11. #11
    Join Date
    Mar 2009
    Location
    Near You..
    Posts
    81
    If you have any software firewall (csf/apf) installed in the server, this can be easily configured.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •