Send email when anyone logs on

Question

My CentOS/RHEL system may have been hacked, I'm not sure. But I'm playing it safe by creating a new slice from scratch.

I've installed tripwire, but I'd also like to be emailed when anyone logs in. I don't want to wait for the daily logwatch report, I want an immediate email when anyone logs in. Preferably with their ip address too.

Suggestions?

Similar to Send email alert on log file entry? but maybe someone has a technique for this specific issue.

Thanks,

Larry

Added: http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1249534744623+28353475&threadId=698232 has some ideas

score 9 · Accepted Answer · answered Aug 06 '09 at 05:20

You should use a solucion for log monitoring like OSSEC, it will look on your logs for security information (including login, sudo, etc.) and send you an e-mail when the alert is important.

It's easy to configure and you can raise the alert level for e-mails or include an alert-by-email on the specific alert.

It can also do configurable active-response, blocking IPs and denying access for a period of time by default.

score 4 · Answer 2 · edited Feb 23 '18 at 17:25

4

you could put this in your .bashrc

echo 'ALERT - Root Shell Access to' $(hostname) 'on:' `date` `who` \
| mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" YOUREMAIL

edited Feb 23 '18 at 17:25

Andrew Schulman

9,142

answered Feb 28 '12 at 22:33

adam

353

score 4 · Answer 3 · answered Jul 19 '16 at 12:38

Slight change of adams solution which doesn't break if root is logged into more than one terminals:

login_info="$(who | head -n1 | cut -d'(' -f2 | cut -d')' -f1)"
message="$(
printf "ALERT - Root Shell Access (%s) on:\n" "$(hostname)"
date
echo
who
)"
mail -s "Alert: Root Access from ${login_info}" admin <<< "${message}"

score 2 · Answer 4 · answered Feb 28 '12 at 21:37

2

This article describes how to Send email on SSH login using PAM.

answered Feb 28 '12 at 21:37

Paul

2,068

score 2 · Answer 5 · answered Aug 06 '09 at 06:02

2

You can add the appropriate command to, or call a script from, /etc/profile.

answered Aug 06 '09 at 06:02

John Gardeniers

27,844

score 2 · Answer 6 · answered Aug 06 '09 at 08:28

2

Be aware though that if your machine has been hacked it may be a trivial task for the hacker - assuming it's not a script kiddie we're talking about there - to disable the email alerting function.

answered Aug 06 '09 at 08:28

Maximus Minimus

9,035

Elliot B. · Answer 7 · 2018-06-04T20:19:12.380

I published a bash script on Github Gist that does what you're looking for. It will email the system administrator anytime a user logs in from a new IP address. I use the script scrutinize logins on our tightly controlled production systems. If a login is compromised, we'd get notified about the unusual login location and have a chance to lock them out of the system before they cause serious damage.

To install the script, just update it with your sysadmin email, and copy it into /etc/profile.d/.

Send email when anyone logs on

7 Answers7