Monitor all login attempts

Don't reinvent the wheel, let rsyslog do everything for you. It has the ability to send emails when patterns are matched in syslog messages before they ever hit a file.

Set your email address and SMTP server in the following and put it in your /etc/rsyslog.conf or drop it in /etc/rsyslog.d/ and restart rsyslog

$ModLoad ommail
$ActionMailSMTPServer localhost
$ActionMailFrom [email protected]
$ActionMailTo [email protected]
$template mailSubject,"Login Alert on %hostname%"
$template mailBody,"\n\n%msg%"
$ActionMailSubject mailSubject
$ActionExecOnlyOnceEveryInterval 1
# the if ... then ... mailBody mus be on one line!
if $msg contains 'session opened for user' then :ommail:;mailBody

This will fire off an email when rsyslog matches the string session opened for user in a message.

You can look in /var/log/auth.log for messages from sshd to see what else you can use as patterns.

Source: rsyslog ommail

First, you should not rely on user's .profile because they can change it. If it's really your server, you could:

test for entries in auth.log, utmp or so periodically (or triggered by inotify)
write a wrapper for /bin/login, that does your things and then executes the real /bin/login. (I am not quite sure if e.g. ssh executes /bin/login, but I expect so.) But I can't recommend that - it's too dangerous.

Monitor all login attempts

Tags:

Security

Ssh

Login

Logs

Related

Recent Posts