Have almost forgotten how fun it is to mess around with a Linux server. Building another Linux server did indeed bring back some memories 😛
This is another scratchpad post: little to no explanation/breakdown on the script involved (unless there’s the “impetus” to elaborate in future). Feel free to ask/discuss in the comments section below though.
Any user who logs in should trigger the sending of the notification email from the server immediately, and if it wasn’t an expected login, well at least you’d know it’s time to trigger some incident response processes.
As an improved version of the old post on the same topic, this script similarly is to be appended to
/etc/profile or the relevant
~/.bash_profile per user.
echo -e "$(hostname) shell access\n$(date)\n$(who)\n\ $(for i in $(who|cut -d"(" -f2|cut -d")" -f1|cut -d":" -f1|sort -u); do echo -e "==========\nwhois $i"; whois $i; echo -e "\n=====\nreverse $i"; dig -x $i; done;)" | \ mail -s "$(hostname) alert: shell access from \ $(who|cut -d"(" -f2|cut -d")" -f1|cut -d":" -f1|tr "\n" " ")" \ 'email@example.com'
Changes namely are the adding of whois and reverse IP (DNS PTR) lookups for all IP addresses currently logged on via SSH, and also the use of the more readable
$() Bash command substitution expansion rather than the backtick (
You will need to have installed the mailutils package (
apt-get install mailutils), and probably a MTA like postfix or exim too.
Edit 30 Apr 2012: small bug fix in the sequence to extract all IPs from the who command output.