In today's digital age, where cybersecurity threats are rampant, safeguarding your Linux server against unauthorized access is crucial. One effective way to enhance security is by setting up email alerts for SSH logins. This guide will walk you through the process of configuring your virtual private server (VPS) to send email notifications for each successful SSH login attempt. This measure is particularly vital for servers exposed to the Internet, where the risk of hacking attempts is significantly higher.
Understanding the Risks
When you enable an SSH server on a VPS, it becomes accessible over the Internet. This exposure increases the likelihood of hacking activities, particularly if the server is still configured to use 'root' as the primary access method. Receiving immediate notifications of SSH logins can be a critical step in identifying and responding to unauthorized access.
Setting Up Email Alerts for SSH Logins
Step 1: Preparing Your Server
Install Necessary Packages: Before setting up email alerts, ensure that your system has the necessary packages. Postfix, a default Mail Transfer Agent (MTA), is essential for sending and receiving emails. Alongside Postfix, you'll need 'mailx' for sending emails.
For Debian/Ubuntu/Linux Mint:
apt install postfix
apt-get install mailx
For RHEL/CentOS/Fedora:
yum install -y postfix
yum install mailx
Step 2: Configuring Global Alert Settings
Edit Global Definitions (/etc/bashrc): This step ensures that both root and normal users will trigger alerts upon login.
Open /etc/bashrc using a text editor like vim:
vim /etc/bashrc
Add the following at the file's end, replacing “ServerName” with your server's hostname and “[email protected]” with your email address:
echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" [email protected]
Step 3: Configuring Alerts for Specific Users
Root User Alerts: To enable alerts specifically for the root user:
Edit the root user's .bashrc file:
vim .bashrc
Add the following at the end of /root/.bashrc:
echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" [email protected]
Normal User Alerts: For specific normal users (e.g., a user named 'green'):
Edit the user's .bashrc file:
vim /home/green/.bashrc
Add a similar line at the end of /home/green/.bashrc.
Testing the Configuration
After setting up the alerts, test the configuration to ensure it's working correctly:
Checking Email Alerts: Log into your server and then check the specified email inbox. You should receive an alert detailing the login attempt, including the timestamp and the source IP address.
If nothing has arrived in the mail, we check the logs. Usually, they are located in /var/log/maillog or /var/log/mail.log. This will help to determine if there are any problems with sending mail. And if such an error is observed, it is necessary to make settings at the DNS level of your domain and in the configuration of the Postfix mail server. You can read how to do this in this article.
Conclusion
Implementing email alerts for SSH logins on your Linux server is a straightforward yet powerful security measure. It not only keeps you informed of legitimate access but also acts as an early warning system against unauthorized attempts. Regularly monitoring these alerts can significantly enhance your server's security posture in an increasingly interconnected and vulnerable digital landscape.