Root login alert + some cool login info

T

his tutorial works for Linux only. For your specific OS tutorial use the tags or serach function in the sidebar area.

How was an Old admin always sayin'? : "Remember, there is nothing wrong in having too much ways of identify a security break." Yeah. If you don't waste too much resources on that, I would add.

If you did the tricks from previous tutorials abour SSH access you are at first curve on straight way to s.a.f.e.t.y. but there's always good to know if somebody succesfully logged in to your root account, right? So why don't get an e-mail about any successfull root login? O.K.

Every system user has it's own home directory. In this directory you can find a file called '.bashrc' (yes, with dot at the begining) and you could put quite cool things in there.

Assuming we do this for root user, but we can do this for any user on the system.

First, let's see the contents of that file

Type:

  1. cd ~
    change current dir to current user home dir
  2. ls -la
    lists contents of a directory (including files with dots (.) in names: -a)
  3. cat .bashrc
    simply displays file content to output (screen)
[root@vps ~]# cd ~
[root@vps ~]# ls -la
total 40
dr-xr-x--- 4 root root 4096 Jul 3 10:56 .
drwxr-xr-x 21 root root 4096 Jul 2 02:31 ..
-rw------- 1 root root 2461 Jul 3 13:58 .bash_history
-rw-r--r-- 1 root root 18 May 20 2009 .bash_logout
-rw-r--r-- 1 root root 176 May 20 2009 .bash_profile
-rw-r--r-- 1 root root 176 Sep 22 2004 .bashrc
drwx------ 3 root root 4096 Jul 3 10:52 .config
-rw-r--r-- 1 root root 100 Sep 22 2004 .cshrc
drwx------ 2 root root 4096 Jul 3 11:21 .mc
-rw-r--r-- 1 root root 129 Dec 3 2004 .tcshrc
[root@vps ~]# cat .bashrc
# .bashrc

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
[root@vps ~]#
 

As you can see in the .bashrc file you can put some command aliases, hmm let's say

alias up='yum -y update'

so if you enter 'up' and hit 'Enter' - yum will start updating your system (as learned in previous posts)

But let's back to work.

After the aliases but before those #Source global definitions copy and paste this piece of code:

############# login alert START
echo 'ALERT - SSH access (root):' `date` `who` | mail -s "SSH access (root) from `who | awk '{print $6}'`" me@gmail.com
############# login alert END
 

so it looks like that: 

 
[root@vps ~]# cat .bashrc
# .bashrc

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
############# login alert START
echo 'ALERT - SSH access (root):' `date` `who` | mail -s "SSH access (root) from `who | awk '{print $6}'`" me@gmail.com
############# login alert END

# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
[root@vps ~]#
 

instead of 'me@gmail.com' enter your e-mail address.

Next, log out and log in again into SSH terminal. Don't forget to check your e-mail.

Extension

Now, if you always log in onto your VPS from one static IP and you don't want to receive an e-mail every time you login you can extend functionality of the code a little:

Edit .bashrc file and replace previous code with this: 

 
############# login alert START
S1='XX-XX-XXX-XX.isp.local.domain.com'
S2=`who | cut -d"(" -f2 | cut -d")" -f1`
if [ $S1 != $S2 ]; # NOTE [with spaces]
then
echo 'ALERT - SSH access (root):' `date` `who` | mail -s "SSH access (root) from `who | awk '{print $6}'`" me@gmail.com
fi
############# login alert END
 

Save and Exit.

No, copy, paste and execute this command on your system

 
who | cut -d"(" -f2 | cut -d")" -f1
 
at output you'll get something like this in return:
 
[root@vps ~]# who | cut -d"(" -f2 | cut -d")" -f1
XX-XX-XXX-XX.isp.local.domain.com
[root@vps ~]#
 

that 'XX-XX-XXX-XX.isp.local.domain.com' is your reverse IP

Copy it to clipboard (Remeber? By selecting the text only)

Now edit again the .bashrc file again and change in first line 

 
S1='XX-XX-XXX-XX.isp.local.domain.com'
 

to your Reverse IP:

 
S1='your rev IP'
 

Save and Exit. And re-log to see if it's working. Remeber that you don't get an e-mail with an alert if you log-in from the same IP which enterend into script.

 

Some cool info upon login

Copy and paste this three blocks of code into .bashrc file:

 
############# Definitions START
red='\e[0;31m'
RED='\e[1;31m'
blue='\e[0;34m'
BLUE='\e[1;34m'
cyan='\e[0;36m'
CYAN='\e[1;36m'
NC='\e[0m'
##
export PS1="\n\e[1;37m[\e[0;32m\u\e[0;35m@\e[0;32m\h\e[1;37m]\e[1;37m[\e[0;31m\w\e[1;37m]\n$ "
############# Definitions END

############# info function START
function ii() # Get current host related info.
{
echo -e "You are logged on ${CYAN}" ; hostname
echo -e "${RED}Additionnal information:$NC " ; cat /etc/redhat-release; uname -a
echo -e "${RED}Users logged on:$NC " ; w -h
echo -e "${RED}Current date :$NC " ; date
echo -e "${RED}Machine stats :$NC " ; uptime
echo -e "${RED}Memory stats :$NC " ; free
echo -e "${RED}Open connections :$NC "; netstat -pan --inet;
echo
}
############# info function END

############# Execution START
clear
ii
############# Execution END
 

so the structure in .bashrc file will no look like that

 
 
# .bashrc

# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

############# Definitions START
...
############# Definitions END

############# info function START
...
############# info function END

############# Execution START
...
############# Execution END

############# login alert START
...
############# logian alert END


# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
 

Save and Exit. And re-log. Nice?