Have you ever wanted to know when someone logs into your server with SSH? I did a while back so I came up with a way to send SSH login alerts by e-mail when someone logs into a server.
I wrote this up while testing on my Raspberry PI so it should be about the same for any Debian based distro.
1. Install mSMTP
We are going to use mSMTP to send our SSH login alert e-mails to a smtp server. To download this for a Debian based distro use this command.
apt-get install msmtpDepending on your distro you may also need sudo in front of that command.
2. Install ca-certificates
Most likely you already have this. I did on a raspberry pi. But if not you need the certificate authority certificates to validate the SMTP server you will connect to.
apt-get install ca-certificates3. Setup mSMTP Config File
This part took me the longest to figure out. First I was expecting there to already be a config file that I would just edit but it turns out you have to make the folder and the file yourself.
Then I had to fight with the settings for a while until I found something that works for my SMTP server.
I stored my config file at /home/MyUsername/.msmtprc because I only have one user account that can access SSH. But the documents say you can setup a system wide config file as well.
#Set default values
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile ~/.msmtp.log
#default smtp account
account default
protocol smtp
tls_starttls on
from email@sysjolt.com
user Your_SMTP_username
password Your_SMTP_password
host smtp.maleserver.example
port 587I’m not 100% sure if the tls_trust_file setting is needed. This may be depended on your distro. I know on my Raspberry PI it works fine without this line but I left it in anyway.
The other settings I had to play with to get working for my SMTP host. They may not be the same for you.
4 Testing the mSMTP command
This was another thing that took me some trial and error to figure out. Hopefully I will save you a lot of time.
In order to send a full message we need to use newline characters. In order to do that I use the printf command.
First comes the Subject of the e-mail. Then 2 newline characters. Then the body of the e-mail. So it will look something like this.
printf "Subject: This is the Subject text.\n\nThis is the body text | msmtp receiver@email.comSo “Subject: ” and the “\n\n” are required. The rest is what you fill in. Then we pipe the printf to the msmtp command and give it the e-mail address we want to send to.
If everything is setup right this should send the message to your SMTP server and that server will send the message on to the e-mail address.
If you get an error you might have to play with the settings in the config file a bit to get it working.
5. Sending SSH Login Alerts
In the home folder of the user account we want to monitor we need to open the .bashrc config file with a text editor. This is found at /Home/username/.bashrc.
Scroll to the very bottom and append this:
IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)"
HOSTNAME=$(hostname)
NOW=$(date +"%e %b %Y, %a %r")
printf "Subject: SSH Login Notification\n\nSomeone from "$IP" logged into "$HOSTNAME" on$NOW. | msmtp receiver@email.comNOTE: You will notice my $NOW variable has no quotes around it. Something about the way date is saved was causing a issue with printf. But removing the quotes seem to fix it.
This script will run every time this user logs into SSH and as a result you will get an e-mail alert.
In Closing
I think this is very cool and in my head it seems like it would let you know if someone managed to break into the server with that account. But I’m sure it won’t catch everything. So I think of it as just another layer of security and not a fail proof plan.
I hope this helps you and I hope my struggles saves you time haha. Please leave a comment below if you have any suggestions or anything to add!
