Send email if user accesses the server via ssh

Question

I want to get notified if any person accesses my Debian server via ssh.

So I want to send an email whenever a user logs in on my server via ssh, so I added this line at the end of /etc/profile:

/usr/local/bin/shell-login.sh | mailx -s "SSH Login User $(whoami) on YOUR-HOSTNAME" [email protected]

/usr/local/bin/shell-login.sh contains:

#!/bin/bash

echo "Login on $(hostname) at $(date +%Y-%m-%d +%H:%M)"
echo "User: "$(whoami)
echo
id
echo
finger

This works too well: I get an email every minute now telling me that root is logging in, which seems to be caused by cron (see /var/log/auth.log)

How do I have to change this setup to send no emails on automated internal ssh-calls?

Answer 1

To me the question is still unclear, so I try to answer the question contained in the first paragraph. How to log SSH logins?

I will also limit my answer to all *nix systems with PAM support. This is a relevant point, because you do not limit the scope of your question by giving a particular OS.

---

Okay, here's what I used in the past: sshrc. If you add a file named that in /etc/ssh (location may vary!), it will be executed by interactive (i.e. with shell) SSH connections.

Downside here is that you won't get informed about the stuff that is also relevant, such as SFTP (sftp-internal subsystem) connections.

However, we have an inroute here.

We can use PAM with pam_exec.so to our advantage and limit its effect to SSH by adding this to /etc/pam.d/sshd (for me it's the last non-comment line):

session    optional     pam_exec.so stdout /etc/your_email_script.sh

This will ensure that the script gets run as a privileged user (relevant if you prefer to call the sendmail binary to send off the mail) and that there is hardly anything the user can do to avoid this script being run. You can effectively limit access to that script to only root.

The part with optional you should adjust if needed. Relevant reading: man pam_exec, man pam.conf, man pam.d.

You may also want to play with how early on you want to execute your script.

---

What you see to miss is. You have so many other ways of locking down the server. For starters: don't allow passwords. Stick to key-only authentication. Make sure that people with only SFTP access do not have additional access:

Match group sftponly
        ChrootDirectory /home
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
        PasswordAuthentication no

will let members of group sftponly only use SFTP and no port forwarding etc, and limit the scope to /home (file/folder permissions do the rest).

AllowGroups ssh-users

will only let members of a group ssh-users even log on via SSH. That is, you can limit SSH logon to a subset of your user base.

PermitRootLogin no

should be set and relevant users be made sudoers instead.

PasswordAuthentication no
PubkeyAuthentication yes

should ensure that password over which you have limited control cannot be used to log on.

AuthorizedKeysFile     /some/protected/folder/.ssh/authorized_keys

can ensure that users aren't allowed to manage their authorized_keys file, but requires you to do it on their behalf.

Answer 2

Try this:

#!/bin/bash

if [ ! $(whoami) == root ] ; then
echo "Login on $(hostname) at $(date +%Y-%m-%d +%H:%M)"
echo "User: "$(whoami)
echo
id
echo
finger
fi

Answer 3

You can do this by (carefully) editing /etc/pam.d/sshd and adding the pam_exec module into the stack. This module can be used to call an external program - such as your script - when someone has successfully started an ssh session.

Let me know if you need "how to" instructions and I'll update my answer to include them for a Debian-based system. (Other distributions have slightly different PAM stacks, so you would have to interpret my instructions rather than follow them blindly.)