hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : how to automatically send email when someon login server via ROOT?
Reply

Forum Jump

how to automatically send email when someon login server via ROOT?

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Junior Guru Wannabe
 
Join Date: Jun 2009
Posts: 46
Thumbs up

how to automatically send email when someon login server via ROOT?


Hi guys,

I want to have an email alert everytime someone login into my server using ROOT user.

The server is based on Linux system.

Cheers,
toby



Sponsored Links
  #2  
Old
Junior Guru
 
Join Date: Jun 2009
Location: Kochi,India
Posts: 177
E-mail Alert on Root SSH Login

Quote:

1.Login to the server via SSH using root
2. cd /root
3. vi .bash_profile
4.At the end of the file add the following line:

echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you@yourdomain.com

Replace YourServerName with the handle for your actual server

Replace you@yourdomain.com with your actual email address

Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert a few minutes afterwards.

  #3  
Old
Premium Member
 
Join Date: Oct 2006
Location: /usr/src/linux/
Posts: 699
Instead of
Code:
`who | cut -d"(" -f2 | cut -d")" -f1`
You may use
Code:
$SSH_CLIENT

__________________
VPSnoc.com offers high quality Xen OpenVZ & Windows Virtual Private Servers at affordable prices.
99.95% Uptime | 24/7/365 Support | Unmetered bandwidth.
Follow us: twitter.com/VPSnoc


Sponsored Links
  #4  
Old
Junior Guru Wannabe
 
Join Date: Jun 2009
Posts: 46
sorry guys, what does YourServerName means? what name should I use??

by the way, if I type the above command wrongly, will there be any bad impact on my server? i.e. will my server crash?
I'm newbie

  #5  
Old
Junior Guru
 
Join Date: Jun 2009
Location: Kochi,India
Posts: 177
[root@localhost ~]# hostname
server1.domain.com

Here server1.domain.com is the name of the server. Like that check your servername with the command hostname. Also this code won't create any problem to your server.


Last edited by Rekhatitus; 06-08-2009 at 03:15 AM. Reason: crrection
  #6  
Old
New Member
 
Join Date: Mar 2008
Posts: 1
You can use this firewall....
ConfigServer Security&Firewall

It helps to set alerts for numerous security issues...

  #7  
Old
Junior Guru Wannabe
 
Join Date: Apr 2009
Posts: 35
I had this script before and it worked but for some reasons it is a long time it is not working any more

any body know what can interfere?

did not change any thing

  #8  
Old
Junior Guru Wannabe
 
Join Date: Apr 2009
Posts: 35
bump ! please see the above
what can cause this I do not receive any email alert any more eventhough I used to receive email and I did not change the line
can other firewalls or any other setting interfere with that?

  #9  
Old
RedHat Certified
 
Join Date: Mar 2009
Location: Israel
Posts: 1,204
anything to show us from /var/log/maillog
?
:-)

__________________
beast5.com - Managed Hosting Solutions 2004 - 2014

  #10  
Old
Junior Guru Wannabe
 
Join Date: Apr 2009
Posts: 35
Dear this is what you want?

Code:
Jun  7 04:35:22 server dovecot[1870]: pop3-login: Disconnected (no auth attempts): rip=84.74.735.96, lip=261.159.17.520
Jun  7 20:03:43 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=74.53.235.98, lip=261.159.17.520
Jun  7 20:47:09 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=74.53.235.98, lip=261.159.17.520
Jun  7 21:59:58 server spamd[2988]: spamd: connection from localhost.localdomain [127.0.0.1] at port 42570 
Jun  7 21:59:58 server spamd[2988]: spamd: setuid to george succeeded 
Jun  7 21:59:58 server spamd[2988]: spamd: processing message <53b412d1ff54e8138db90699711b3b16@localhost.localdomain> for george:503 
Jun  7 22:00:02 server spamd[2988]: spamd: clean message (5.9/10.0) for george:502 in 3.8 seconds, 5254 bytes. 
Jun  7 22:00:02 server spamd[2988]: spamd: result: . 5 - AWL,DNS_FROM_AHBL_RHSBL,DNS_FROM_OPENWHOIS,HTML_IMAGE_ONLY_24,HTML_MESSAGE,RCVD_IN_SSC_TRUSTED_COI,URIBL_JP_SURBL scantime=3.8,size=5254,user=george,uid=502,required_score=10.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=42570,mid=<53b412d1ff5yeyey9971y16@localhost.localdomain>,autolearn=no 
Jun  7 22:00:02 server spamd[2761]: prefork: child states: II 
Jun  7 22:05:12 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=74.53.235.98, lip=261.159.17.520
Jun  7 22:50:59 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=74.53.235.98, lip=261.159.17.520
Jun  7 23:41:16 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=74.53.235.98, lip=261.159.17.520
Jun  8 15:01:45 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=222.231.57.141, lip=261.159.17.520
Jun  8 15:01:45 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=222.231.57.141, lip=221.139.14.122
Jun  8 15:01:45 server dovecot[12870]: pop3-login: Disconnected (no auth attempts): rip=222.231.57.141, lip=241.135.14.123
Jun  8 20:07:51 server spamd[2988]: spamd: connection from localhost.localdomain [127.0.0.1] at port 42938 
Jun  8 20:07:51 server spamd[2988]: spamd: setuid to george succeeded 
Jun  8 20:07:51 server spamd[2988]: spamd: processing message <694c01c3495$yeyed9a8825yy0$6a38093a@SALE2-08> for george:502 
Jun  8 20:07:56 server spamd[2988]: spamd: identified spam (26.3/10.0) for george:502 in 4.5 seconds, 13360 bytes. 
Jun  8 20:07:56 server spamd[2988]: spamd: result: Y 26 - DATE_IN_FUTURE_03_06,DNS_FROM_AHBL_RHSBL,DNS_FROM_OPENWHOIS,DYN_RDNS_SHORT_HELO_HTML,HS_INDEX_PARAM,HTML_MESSAGE,L_SPAM_TOOL_13,MIME_HTML_ONLY,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_SSC_TRUSTED_COI,RCVD_IN_XBL,RDNS_DYNAMIC,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_WS_SURBL scantime=4.5,size=13360,user=george,uid=502,required_score=10.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=42938,mid=<694c05333d9a88tee0$tee3a@SALE2-08>,autolearn=spam 
Jun  8 20:07:56 server spamd[2761]: prefork: child states: II

  #11  
Old
Junior Guru Wannabe
 
Join Date: Mar 2009
Location: Near You..
Posts: 81
If you have any software firewall (csf/apf) installed in the server, this can be easily configured.

Reply

Related posts from TheWhir.com
Title Type Date Posted
Open-Xchange Launches Tool to Encrypt Online Communications Web Hosting News 2014-09-03 10:43:43
Hackers Gain Access to Namecheap Accounts Using Login Data Stolen from Third-Party Sites Web Hosting News 2014-09-02 11:36:37
Linux Malware Operation Windigo Infects 25,000 Web Servers Web Hosting News 2014-03-19 11:44:53
Rackspace Integrates Mailgun into Cloud Control Panel Web Hosting News 2013-05-23 14:55:51
SSHD Rootkit in the Wild Blog 2013-02-22 16:44:08


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?