As I’ve already stated in previous posts, I’m a bit of a paranoid server operator. I’m responsible for several servers that are sat out there on the big bad internet of things and I like to know what’s happening with them.
One of the biggest areas of concern is SSH access. Most people don’t bother tying it down tightly enough and the default install of most linux distros seem to leave it open to the general internet. I highly recommend restricting SSH connections to known IP addresses. Even having access in place doesn’t mean that your server is safe. Sometimes people who have access to the server can break stuff. For that reason I like to know who is connecting to the servers, especially if they can SU to root.
How cool would it be if your server would email you each time the root user logs in? Well it can and it’s fairly easy to set up. Here’s how.
Firstly you’ll need to install the MailX package if it isn’t already. To find out if you have it installed login in to your server as root and execute the following
# rpm -qa | grep mailx
If you have MailX installed, you should get a response something like this
mailx-12.4-7.el6.x86_64
If the command returns no output, you will need to install MailX:
# yum install mailx
Once MailX is installed, switch to your root directory and edit the .bashrc file.
# cd /root # vi .bashrc
Add the following line to the bottom of the .bashrc file. Be sure to replace ServerName with the actual name of your server and replace you@yourdomain.com with the email address that you want the alert sent to.
echo 'ALERT - Root Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Login/SU from `who | cut -d'(' -f2 | cut -d')' -f1`" you@yourdomain.com
Once you’ve added the line, save and close the .bashrc file.
To test it’s working, logout and log back in to your server as root or as your user account and then su root. Congratulations, every time someone logs in to your server as root or SUs to root you’ll know.
If you would like to be notified of all user logins, there is another .bashrc file located in the /etc/ directory. Add the same line to this file.
Stay secure!