Whenever we install, configure, and secure Linux servers in a production environment, it’s very crucial to keep track of what is happening with servers and who logs into the server as far as concerned about the security of the server.
Why, because if someone logged into server as root user using brute force tactics over SSH, then think about how he will destroy your server. Any user who gains root access can do whatever he wants. To block such SSH attacks, read our following articles that describes how to protect servers from such attacks.
- Block SSH Server Brute Force Attacks Using DenyHosts
- Use Pam_Tally2 to Lock and Unlock SSH Failed Logins
- 5 Best Practices to Secure and Protect SSH Server
So, it’s not a good practice to allow direct root login via SSH session and recommend to create non root accounts with sudo access. Whenever root access needed, first logged in as normal user and then use su to switch over to root user. To disable direct SSH root logins, follow our below article that shows how to disable and limit root login in SSH.
However, this guide shows a simple way to know when someone logged in as root or normal user it should send an email alert notification to the specified email address along with the IP address of last login. So, once you know the IP address of last login made by unknown user you can block SSH login of particular IP address on iptables Firewall.
How to Set SSH Login Email Alerts in Linux Server
To carry out this tutorial, you must have root level access on the server and a little knowledge of nano or vi editor and also mailx (Mail Client) installed on the server to send the emails. depending upon your distribution you can install mailx client using one of the following commands.
On Debian/Ubuntu/Linux Mint
# apt-get install mailx
On RHEL/CentOS/Fedora
# yum install mailx
Set SSH Root Login Email Alerts
Now login as root user and go to root’s home directory by typing cd /root command.
# cd /root
Next, add an entry to the .bashrc file. This file sets local environment variables to the users and does some login tasks. For example, here we setting a an email login alert.
Open .bashrc file with vi or nano editor. Please remember .bashrc is a hidden file, you won’t see it by doing ls -l command. You’ve to use -a flag to see hidden files in Linux.
# vi .bashrc
Add the following whole line at the bottom of the file. Make sure to replace “ServerName” with a hostname of your Server and change “[email protected]” with a your email address.
echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" [email protected]
Save and close the file and logout and log back in. Once you login via SSH, a .bashrc file by default executed and sends you an email address of the root login alert.
Sample Email Alert
ALERT - Root Shell Access (Database Replica) on: Thu Nov 28 16:59:40 IST 2013 tecmint pts/0 2013-11-28 16:59 (172.16.25.125)
Set SSH Normal User Login Email Alerts
Login as normal user (tecmint) and go to user’s home directory by typing cd /home/tecmint/ command.
# cd /home/tecmint
Next, open .bashrc file and add the following line at end of the file. Make sure to replace values as shown above.
echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" [email protected]
Save and close the file and logout and login again. Once you login back again, a .bashrc file executed and sends you an email address of the user login alert.
This way you can set an email alert on any user to receive login alerts. Just open the user’s .bashrc file which should located under the user’s home directory (i.e. /home/username/.bashrc) and set the login alerts as described above.
Create a alert on my server such that if anyone other than my and my manager IP’s login to the server we should get an mail based alert with the user ID & ip address.
Please help.
@Pandurang,
Check this article..
How to Get Root and User SSH Login Email Alerts
Thanks a ton, after implementing I am able to get root SSH login email alerts..
Hi, I just tested this on my Linux box and it works well. However, if i need to reverse the script, how do i achieve that?
echo ‘ALERT – Root Shell Access (ServerName) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d'(‘ -f2 | cut -d’)’ -f1`” [email protected]
Hello!
I get this when attempting to install mailx the above command.
As the message says, apt-get install mailutils works.
Thank you for sharing your knowledge.
When i am trying the command i am getting.
i didn’t find any solutions
What about su -c?
After I originally left a comment I seem to have clicked on the Notify me when new comments are added- checkbox and now each time a comment is added I receive four emails with the exact same comment. There has to be a way you are able to remove me from that service? Thanks a lot!
@Aida,
Sorry for that, could you forward that emails to [email protected], let me go through it and fix it.
When I tried logging in as root, I get this error message. what does this mean?
Sir, I need one help from you.
can’t I get any user login email alert through the mail? I have tried but mail.err and mail log gives me an error. below is the code (changed hostname, email)
echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" [email protected]
I have written a script for capturing an image and email later notification
@Santhos,
Could you share your maillog error logs here? so that it would help us in solving your problem.
Ravi – do you know why I would see :0 instead of an IP Address? Please let me know.
ALERT – Root Shell Access (server-here) on: Mon May 1 11:52:31 EDT 2017 username-here tty7 2017-05-01 11:48 (:0)
@Mike,
Have you added following code correctly to your .bashrc file?
echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" [email protected]
Yes – and it works great every time I log in! But I had one time where I did not log into the system but got an email and it was from “:0” so I was wondering if that may have been the system or something else?
@Ravi,any word on the “:0”? It works great when I log in but one time when no one logged in I got an email with “:0” as the login … I thought it was odd…
@Ravi Saive – what does it mean when I see :0 instead of an IP Address? See below:
ALERT – Root Shell Access (server-here) on: Mon May 1 11:52:31 EDT 2017 username-here tty7 2017-05-01 11:48 (:0)
Hi, I think your site might be having browser compatibility issues. When I look at your blog in Safari, it looks fine but when opening in Internet Explorer, it has some overlapping. I just wanted to give you a quick heads up! Other then that, very good blog!
Excellent post.Ne’er knew this, thank you for letting me know.
Hi, how to make two email out to inform the admin?
thanks
@Gilang,
Either make two entries for each email address or add comma like email, email2, etc..
Hi,
I always get the message (mail.log) “no recepient address found in message header”
Where is this recepient address specified?
Thanks for yr help im desperate..
With kind regards,
Edwin
Hi how can we set ssh mail alert othere then one specific ip.
I want to set ssh login root mail alert same working as well now my requirment is i want to get ssh root alert mail if other then one specific ip are
login.
Thanks & regdras
Randhr
In .bashrc a user can always remove that line after the first login.
What we can do to prevent it?
Love this thread, I added [email protected] and now I get TXT / SMS messages to my phone when anyone logs in with Root access, thank you. Love this post.
Thanks for the good info.
How to configure alert for vsftpd user logins?
Is it possible to exclude alerts if logged in from a specific IP address?
Hi there,
It’s possible to configure this alert only in some specific time of the day ?
Like when i’m out of the company ?
Thank you.
Hi,
i have installed this and added my email to bashrc but not getting any email alerts
Is you server have smtp service like sendmail or postfix installed and running?
Dear Ravi Saive,
I want to thank you, I learned a lot from your posts. This post works great. After I put these codes in the bashrc file, I receive email notification immediately when I login SSH.
The smtp port 25 should be open and we should make sendmail or postfix working. Otherwise no emails go out.
And if the email account has message arrival notification function to mobile phone, we receive sms messages when users login with SSH.
Thank you very much.
Lampk
First I like to thank you for this great knowledge share .
is it possible to send this alert as sms ?
Gr8 document. is it possible get system or root access alert on android mobile phone ? i checked with gnokii but for that we need nokia phone but i want to configure it on android phone.
Hi i have installed this and added my email to bashrc but not getting any email alerts
Is your SMTP port 25 is opened on firewall?