I encountered a challenge today where a linux server was compromised. The server is sitting directly on the internet, no firewall, iptables, anything… It’s that way for a reason.. Had email notification of a succesful login been in place, we’d have known earlier that something was amuck…

At any rate, there are a couple of users that log into this server on occasion for various reasons… We found that it would be useful to know who/when/where in the event of a login. There are a number of ways to do this.. this works for me.

Here are a few lines that I found useful for this notification process.. place them at the end of the /etc/profile file and you’ll get a email notification when someone logs onto the server.
Append the following to the end of “/etc/profile”…

For Debian based systems…

1
2
3
4
5
SUBJECT="Logon to $HOSTNAME by $USER"
EMAIL=youraddress@yourdomain.tld
EMAILMESSAGE="$HOME/emailmessage.txt"
w > $EMAILMESSAGE
/usr/bin/sendemail -q -f $USER'@'$HOSTNAME -t "$EMAIL" -u $SUBJECT -m < $EMAILMESSAGE

 

For Redhat based systems… (CentOS, etc)

 

1
2
3
4
5
SUBJECT="Logon to $HOSTNAME by $USER"
EMAIL=youraddress@yourdomain.tld
EMAILMESSAGE="$HOME/emailmessage.txt"
w > $EMAILMESSAGE
cat $EMAILMESSAGE | mutt -s "$SUBJECT" $EMAIL