Email notification on login
The purpose of this configuration is that you are notified by e-mail as soon as someone has successfully logged in to the server. This is an optional setting and especially interesting for security fanatics.
A few tasks come together for this, but overall it's not a big deal. We will install Sendmail, create a shell file and make it known to the SSH service.
If this is not important to you, you can skip it.
Sendmail installieren
In order for our server to be capable of sending emails, we install the mail transfer agent Sendmail.
We'll look at Linux's package management system (apt
) in more detail in the next chapter Update Linux server, so we'll run the installation without further explanation at this point.
Install Sendmail with apt
:
__$ sudo apt install sendmail -y
After installation we run sendmailconfig and confirm all settings with y
:
__$ sudo sendmailconfig
Accept all with y
:
Configure sendmail with the existing /etc/mail/sendmail.conf? [Y] y
Reading configuration from /etc/mail/sendmail.conf.
Validating configuration.
Writing configuration to /etc/mail/sendmail.conf.
Writing /etc/cron.d/sendmail.
Configure sendmail with the existing /etc/mail/sendmail.mc? [Y] y
Updating sendmail environment ...
...
Reload the running sendmail now with the new configuration? [Y] y
...
You can test sendmail with this line. Just put your email address instead of mail@example.com
:
__$ echo "Subject: sendmail test" | /usr/sbin/sendmail -v mail@example.com
Create shell file
We need an executable file that is triggered as soon as a login to the server has taken place. This shell file gathers some data, such as the client's IP, server time, etc. and then sends it to a specified email address using Sendmail.
We first create the file /etc/ssh/login-mail-notification.sh
:
__$ sudo nano /etc/ssh/login-mail-notification.sh
Here's what we copy in:
/etc/ssh/login-mail-notification.sh
#!/bin/sh
if [ "$PAM_TYPE" != "close_session" ]; then
ADMINMAIL=mail@example.com
IP="$(echo $SSH_CONNECTION | cut -d " " -f 3)"
PORT="$(echo $SSH_CONNECTION | cut -d " " -f 4)"
SUBJECT="SSH on $(hostname) - $PAM_USER@$IP:$PORT - IP: $PAM_RHOST"
sudo /usr/sbin/sendmail $ADMINMAIL <<EOF
Subject: $SUBJECT
$(date +"%e %b %Y, %a %r")
------------------------------------
$(env)
EOF
fi
Replace the sample address (mail@example.com
) with your email address. And as usual, save and close. (CTRL+s
, CTRL+x
).
So the condition is if [ "$PAM_TYPE" != "close_session" ]
. Which means something like: if the $PAM_TYPE
is not close_session
. Then a login has probably occurred.
The file /etc/ssh/login-mail-notification.sh
is basically just a text file. To make it executable, we run the following chmod
command:
__$ sudo chmod +x /etc/ssh/login-mail-notification.sh -v
Run shell file from SSH service
The PAM module (Pluggable Authentication Modules) is a central authentication system under Linux. We tell it when to execute our file.
Authentication services have their own configuration file under PAM. So let's open the appropriate file for SSH:
__$ sudo nano /etc/pam.d/sshd
And add the following two lines to the end:
Excerpt from /etc/pam.d/sshd
# sendmail on ssh login
session optional pam_exec.so seteuid /etc/ssh/login-mail-notification.sh
The first line is just a comment (# sendmail on ssh login
).
The second line executes /etc/ssh/login-mail-notification.sh
on login. If the condition if [ "$PAM_TYPE" != "close_session" ]
is true, then what is in the condition block is executed. Sendmail then sends out the email with the environment variables ($(env)
).
The complete file will look like this:
/etc/pam.d/sshd
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
# sendmail on ssh login
session optional pam_exec.so seteuid /etc/ssh/login-mail-notification.sh
Test email notification
The test is still missing. For this we simply log off ...
__$ logout
... and on again.
If everything is configured correctly, you should receive an email from your server after logging in.