Keys

Yeah, maybe I am a bit paranoid, but I want to know in real-time who logs into and from wich address to my machines.
Since logging that to file is too much insecure (if one gets the control of the machine, he can delete every file he wants..) I built a script that sends me an alert e-mail each time a user logs in.

The script is quite simple:

1.
#!/bin/bash
2.

3.
LOG_USER=”$( whoami )”
4.
LOG_DATE=”$( date )”
5.
OUT_WHO=”$( who )”
6.
NOTIFY_ADDR=”myuser@myprovider.com
7.

8.

9.
(
10.
cat <<EOF
11.
Login notification on server.
12.

13.
Server: $(hostname)
14.
User: ${LOG_USER}
15.
Date: ${LOG_DATE}
16.

17.
— Logged in users —————————————————-
18.
${OUT_WHO}
19.
————————————————————————
20.

21.
— Uptime ————————————————————-
22.
$(uptime)
23.
————————————————————————
24.

25.
EOF
26.
) | /usr/bin/mail -s "[LOGIN-NOTIFY] $(hostname) Login of ${LOG_USER} on ${LOG_DATE}" -a "From: Login Notify <security@myserver.com "${NOTIFY_ADDR}"

Of course, you can add more commands output between the two EOF if you want, e.g. to know wich ports are open and wich processes are in execution.

Once placed the script somewhere, add it to a file executed on user login, such as ~/.profile or /etc/profile.

(Of course, you must have a configured mailserver installed in order to send e-mails from your server..)

Advertisements