Swanand: Email Alert on Root SSH Login Attempts

So are you wondering how to set notification when someone or attacker tries to break-in to your SSH server?

Ofcourse, we can just check /var/log and check several files like secure, messages, lastlog, wtmp, btmp, and everything. We can take a look at the secure file for any Failed attempts known as SSH bruteforcing, or maybey in messages file for FTPD bruteforcing attempts.

But,, what if in a worst case, the attacker successfully gained access to your SSH server?? That will be a real bad disaster. Also, the attacker is not fool person, he/she will try to remove any traces on the server, so that the root administrator doesn’t notice any changes or suspicious login. The attacker can just remove all logs found in the /var/log by deleting them or emptying the log files. Since, most of Linux servers save anything logs in this area.

We are just human, not a robot. So how can we know at the early that our server is being bruteforced or if someone/attacker sucessfully breached the very front of server login?

First, make sure syslog daemon is running, if it’s not, start it with:

$ /etc/init.d/syslogd restart

Follow these steps:

1/ Login into server via SSH2 login

2/ What we want to check are “secure” & “messages” files in /var/log. We want to check both for failed and success login.

- “secure” file in failed SSH login will contains string like “Failed password for”
- “secure” file in success SSH login will contains string like “Accepted password for”
- “messages” file in failed SSH/FTPD login will contains string like “Authentication failed for”
- “messages” file in success SSH/FTPD login will contains string like “is now logged in”

We can check for those strings manually with this command:

$ cd /var/log $ find secure | xargs grep -s "Accepted password for" $ find secure | xargs grep -s "Failed password for" $ find messages | xargs grep -s "is now logged in" $ find messages | xargs grep -s "Authentication failed for"

Note that, we can use in-sensitive case when using grep command, just change “grep -s” to “grep -si”.

Those commands above are for manual check, but this time we want to join all those commands in an automatic way and then send the results to our mail via sendmail function.

3/ In /root directory, there’s a .bashrc file, edit it using nano or pico.

$ cd /root $ nano .bashrc

This .bashrc file will look something like this:

# .bashrc

# User specific aliases and functions

alias rm=’rm -i’
alias cp=’cp -i’
alias mv=’mv -i’

# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
Note: .bashrc in yours may differ with this sample.

Then, add these commands at the bottom.

touch mailnotify.txt echo "To: [your.email]@[any-mail-server].com" > mailnotify.txt echo "From: SSH-Login-Alert@[your-server].com" >> mailnotify.txt echo "Subject: SSH Login" >> mailnotify.txt echo "" >> mailnotify.txt echo "SECURE LOGS" >> mailnotify.txt cat /var/log/secure | grep -s "Accepted password for" >> mailnotify.txt echo "" >> mailnotify.txt cat /var/log/secure | grep -s "Failed password" >> mailnotify.txt echo "" > mailnotify.txt echo "MESSAGES LOGS" >> mailnotify.txt cat /var/log/messages | grep -s "is now logged in" >> mailnotify.txt echo "" >> mailnotify.txt cat /var/log/messages | grep -s "Authentication failed for" >> mailnotify.txt echo "" >> mailnotify.txt /usr/sbin/sendmail -t < mailnotify.txt rm -rf mailnotify.txt

So, our .bashrc will look like this:

# .bashrc

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi

$ source .bashrc

Now, everytime there’s an attempt of SSH login, both failed or success, we will be emailed automatically from our server, even your own success login.

Important Note: Since, there maybey hundreds of SSH failed login attempts to our server every day, and the sendmail will automatically sends mail of every attempts, and that sendmail function has a limited way of sending mail (default about 30 seconds/sending). We don’t want to make our server get heavy loads because of mail sending process and to avoid our mail server being blocked or blacklisted as a spamming server, then we should set the command above to separate file and then set it in a cronjob task.

So how to do it?

1/ Make directory in /root, eg: notify. Then create bash script file named “servernotify”.

$ cd /root
$ mkdir notify
$ nano servernotify

2/ Copy that command above to “servernotify” file.

#!/bin/bash
touch mailnotify.txt
echo "To: [your.email]@[any-mail-server].com" > mailnotify.txt
echo "From: SSH-Login-Alert@[your-server].com" >> mailnotify.txt
echo "Subject: SSH Login" >> mailnotify.txt
echo "" >> mailnotify.txt
echo "SECURE LOGS" >> mailnotify.txt
cat /var/log/secure | grep -s "Accepted password for" >> mailnotify.txt
echo "" >> mailnotify.txt
cat /var/log/secure | grep -s "Failed password" >> mailnotify.txt
echo "" > mailnotify.txt
echo "MESSAGES LOGS" >> mailnotify.txt
cat /var/log/messages | grep -s "is now logged in" >> mailnotify.txt
echo "" >> mailnotify.txt
cat /var/log/messages | grep -s "Authentication failed for" >> mailnotify.txt
echo "" >> mailnotify.txt
/usr/sbin/sendmail -t < mailnotify.txt
rm -rf mailnotify.txt

Then save it and make it executable with chmod +x servernotify.

3/ Set cronjob task for executing that bash script file above every 30 mins (if you’re paranoid). I recommend to set sending mail more than 30 mins per sending.

$ crontab -e

Set cron task:

*/30 * * * * /bin/bash /root/notify/servernotify > /dev/null 2>&1

Save the crontab.

Ok, now all things have been set up. Just wait in your mail for every SSH/FTPD login attempts on your server.

Swanand

Wednesday 16 October 2013

Email Alert on Root SSH Login Attempts

No comments:

Post a Comment

Featured post

Vicidial With WebRTC

Pages

Search This Blog