SSH login alert with sendmail and PAM

One thing, that usually come first when you setup a Virtual Private Server (VPS) is security and enabling ssh exposes you to some hack activity! Yep, internet can be a wild and scary place sometimes!

Internet can be a wild and scary place sometimes!

An email alert, when someone logs in to your server via ssh, can be pretty useful to track who is actually using your server! But Keep in mind that this trick is not enough to secure your server! And here you are more useful basic advices before seeing how to set up our SSH alert:

Layered security is the key!
  • Disable SSH login for root user
  • Change your default ssh port (22), it can lead to a drop by the 98% of attacks’ chance, as Recon Bots look for IP addresses with open default ports for some services like ssh;
  • Use fail2ban to prevent brute-force attacks on your new ssh port, it provides an automated way to identify a possible break-in and acts upon them quickly with a pitiless ban!
  • If you want to increase your security with password access over ssh use port knocking or 2FA otherwise switch to SSH key.

Now let’s go back to the main topic, the article will be divided into 2 part:

  1. Setup and get sendmail ready;
  2. How to get an email alert on a ssh login using sendmail and PAM;

1: Setup and get sendmail ready:

Sendmail is an MTA (mail transfer agent) that supports many kinds of mail-transfer and delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over the Internet.

On my VPS I use Debian 9, so let’s see how to setup sendmail:

Installation:

$ sudo apt-get install sendmail
//check your installation folder
$ sudo which sendmail
//output: /usr/sbin/sendmail
//check if sendmail is running
$ ps -xa | grep sendmail | grep -v grep
//output: 2503 ? Ss 0:00 sendmail: MTA: accepting connection

now, we can test sendmail using this command:

$ echo "Subject: test" | sudo sendmail -v your@email.com
//usually mail delivery always happens in background but with -v options you will enable verbose logging for debugging purposes.

Troubleshooting:

Don’t be depressed like Marvin, you may find your answer here!

If you encounter some issues, chances are that the answer to your problems are in /var/log/mail.err .

  • Make sure that no other application is interferring with sendmail:
    other mail services/agent could interfere with sendmail. Check if any of sendmail’s default ports are in use by other applications with:
    sudo netstat -tulpn | grep -E -w '25|587' 
    If you get any results please remove/stop the application running on that port.
  • You must be able to accept incoming connections on localhost’s port 25:
    if you use a firewall (e.g. IPTables), remember to open it! An easy way to test if port 25 is open is:
    $ telnet localhost 25 
    If the response is “Connected”, then everything is fine, otherwise you’ll have to open that port on your firewall.
  • Sendmail is slower to send mail: 
    check if in your /var/log/mail.err there is this error: 
    yourDomainName sendmail[****]: My unqualified host name (yourDomainName) unknown; sleeping for retry
    To solve this issue, open your hosts file with vim or your favorite editor:
    $ sudo vim /etc/hosts 
    and change the first line like this:
    127.0.0.1 localhost localhost.localdomain yourDomainName 
    and save it!

2: How to get an email alert on a SSH login using sendmail and PAM:

A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface(API).
tl;dr PAM handles authentication for multiple services on Linux OS.

Let’s go and get our alert!

Each PAM-aware software creates a file in the /etc/pam.d/. Such file controls how PAM will treat new connections and which rules follow for authentication: in our case, openSSH server produces the file /etc/pam.d/sshd.
We can use this file to set up a script that would run whenever a login happens via ssh.

Shell Script that sends alerts with sendmail at login

Let’s create our script, you are free to choose where to locate your script but here there is some tips:

  1. create a new folder in /etc/pam.scripts : 
    $ sudo mkdir /etc/pam.scripts
  2. set folder’s permissions to 0755 :
    $ sudo chmod 0755 /etc/pam.scripts
  3. create our script: $ sudo touch /etc/pam.scripts/ssh_alert.sh
  4. for security reasons, you should allow just root user to write and exec the script:
    $ sudo chmod 0700 /etc/pam.script/ssh_alert.sh 
    $ sudo chown root:root /etc/pam.scripts/ssh_alert.sh

now use your favorite editor to edit the file and copy and paste this:

Configuring /etc/pam.d/sshd

This is the final step — I know, finally 😄 — we are going to add a line at the end of /etc/pam.d/sshd

...
# SSH Alert script
session required pam_exec.so /etc/pam.scripts/ssh_alert.sh

(don’t forget to make sure that your script is executable)
Now, you can just log in via ssh to check if the alert works! 
You won’t need to restart any services, so just have fun!

Good job! And see you next!


Originally published at alessandrocudazzo.it on February 15, 2018.

Like what you read? Give Alessandro Cudazzo a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.