E-mail Alert on Root SSH Login Published: Dec 08, 2003

Rating

4/5

Want to be notified instantly when someone logs into your server as root? No problem, check out this nice tutorial on email notification for root logins.

Want to be notified instantly when someone logs into your server as root? No problem, check out this nice tutorial on email notification for root logins. Keeping track of who logs into your server and when is very important, especially when you're dealing with the super user account. We recommend that you use an email address not hosted on the server your sending the alert from.

So lets get started!

1. Login to your server and su to root, I know the irony!

2. cd /root

3. pico .bashrc

4. Scroll to the end of the file then add the following:
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" [email protected]

Replace YourServerName with the handle for your actual server
Replace [email protected] with your actual email address

5. Crtl + X then Y

Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert a few minutes afterwards.

Note: This is a great tool for servers that have multiple admins or if you give someone SSH access for whatever reason, although you should give out the root password to as few people as humanly possible and be sure to change it often.

This will not magically alert you when a hacker runs the latest kernel exploit on your server and logs into SSH because they will create their own SSH/telnet connection. You should keep your system up to date, install a firewall and follow the latest security releases.

Rating

4/5

1 2 3 4 5

Rate it!

Comments (16)

Edward 07:05, December 9, 2003

Loved it worked like a charm, but I had to make the entire code into one line instead of a 3 line code not sure why.
Chris 22:34, December 19, 2003

I am trying to do this but get a mail command not found when I login after doing this. cpanel/RH9

Any ideas what I might be doing wrong?
C0NIk 17:15, March 16, 2004

it's cool one but sometime dont work with the Red Hat Entrprise 3

so if it didnt work it will be easy to install LogWatch
Jimmy B Silva II 10:20, March 27, 2004

Make sure you put in a single line like Edward did. It should work for Red Hat Enterprise 3
jad madi 15:46, May 20, 2004

use echo -n for better
so none will notice that there is a monitoring for login
JLChafardet 19:36, November 2, 2004

It worked like charm on my RHEL ES3 box, will see if it sends mails every root try. 
 
any way it is most recomended that you forbid direct root logins.
Holoken 20:53, July 17, 2005

If the attacker's clever then it won't work. Instead of logging in like Joe Admin would, he'll tell ssh to execute the following command: "ssh [email protected] /bin/bash --noprofile --norc". This'll bypass the mail-sending script in /root/.bashrc, and we'll be none the wiser. 
 
Put it instead in /root/.ssh/rc which is executed before any command (including any login shell) is run. This way the attacker's login will not go undetected even if he uses the above method to get in.
Arif Kanji 19:22, August 9, 2005

Awesome! 
How do u code to get alerts only for users who have entered incorrect username and/or password? 
 
Thanx
Clayton 21:40, October 23, 2005

Hi, 
I couldn't see .bashrc anywhere in my /root what should i do. 
 
Thanks 
Regards, 
CEO NightShells.NeT
BitSurFer 16:38, July 11, 2006

somthing wrong!! 
when i login i get this error 
---------------------------- 
cut: you must specify a list of bytes, characters, or fields 
Try `cut --help' for more information. 
-bash: -f1: command not found 
----------------------------
Dave 16:55, March 15, 2007

BitSurFer, 
 
Try replacing: 
`who | cut -d"(" -f2 | cut -d")" -f1` 
 
with: 
`whoami` 
 
It should do the same thing.
JACOB 10:50, April 10, 2008

I CAN'T SEE WHERE IT IS WRITTEN - "echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" [email protected]"
Phil 17:29, May 15, 2008

For FreeBSD users, edit the /root/.cshrc file and add the line as follows: 
 
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `whoami`" [email protected] 
 
This should all be one line and should probably be added to the end of the file.
Paul Brady 21:11, September 9, 2008

I can only get this tip to work if I enter: 
# source .bash_profile 
 
to source the file. When I do that, I get an email. When I log out, however, and then log back in (using su) I get no alert by email. 
Am I missing something? I've been banging my head on the wall for hours. Can someone help? :-)
ubaid 00:49, September 23, 2008

can we add the IP address of the machine whom we login or just like the message we get when we login to root user
ericinwisconsin 15:59, July 1, 2009

An elegant solution, yes, but also prevent root from logging in at all. Add this line: 
 
AllowUsers username 
 
to your sshd_config file. 
 
For us Debian (and probably Ubuntu) users, the file it at /etc/ssh/sshd_config 
 
You can issue an "su" command to become root. I NEVER allow root direct ssh access to a box, but I do also use the technique on this page to make sure. I also limit ssh access only from certain other boxes on important servers and routers.

Best-Selling Hosting

Top Rated Providers

Editors Pick

E-mail Alert on Root SSH Login Published: Dec 08, 2003

Rating

4/5

Rating

Rating

Rate it!

Related Articles

Comments (16)

Add Your Thoughts

Best-Selling Hosting

Top Rated Providers

Editors Pick

E-mail Alert on Root SSH Login Published: Dec 08, 2003 Rating 4/5

Rating

Rating

Rate it!

Related Articles

Comments (16)

Add Your Thoughts

E-mail Alert on Root SSH Login Published: Dec 08, 2003

Rating

4/5