SSH login alert with sendmail and PAM
One thing, that usually come first when you setup a Virtual Private Server (VPS) is security and enabling ssh exposes you to some hack activity! Yep, internet can be a wild and scary place sometimes!
An email alert, when someone logs in to your server via ssh, can be pretty useful to track who is actually using your server! But Keep in mind that this trick is not enough to secure your server! And here you are more useful basic advices before seeing how to set up our SSH alert:
Layered security is the key!
- Disable SSH login for root user
- Change your default ssh port (22), it can lead to a drop by the 98% of attacks’ chance, as Recon Bots look for IP addresses with open default ports for some services like ssh;
- Use fail2ban to prevent brute-force attacks on your new ssh port, it provides an automated way to identify a possible break-in and acts upon them quickly with a pitiless ban!
- If you want to increase your security with password access over ssh use port knocking or 2FA otherwise switch to SSH key.
Now let’s go back to the main topic, the article will be divided into 2 part:
- Setup and get sendmail ready;
- How to get an email alert on a ssh login using sendmail and PAM;
1: Setup and get sendmail ready:
On my VPS I use Debian 9, so let’s see how to setup sendmail:
$ sudo apt-get install sendmail
//check your installation folder
$ sudo which sendmail
//check if sendmail is running
$ ps -xa | grep sendmail | grep -v grep
//output: 2503 ? Ss 0:00 sendmail: MTA: accepting connection
now, we can test sendmail using this command:
$ echo "Subject: test" | sudo sendmail -v firstname.lastname@example.org
//usually mail delivery always happens in background but with -v options you will enable verbose logging for debugging purposes.
If you encounter some issues, chances are that the answer to your problems are in
- Make sure that no other application is interferring with sendmail:
other mail services/agent could interfere with sendmail. Check if any of sendmail’s default ports are in use by other applications with:
sudo netstat -tulpn | grep -E -w '25|587'
If you get any results please remove/stop the application running on that port.
- You must be able to accept incoming connections on localhost’s port 25:
if you use a firewall (e.g. IPTables), remember to open it! An easy way to test if port 25 is open is:
$ telnet localhost 25
If the response is “Connected”, then everything is fine, otherwise you’ll have to open that port on your firewall.
- Sendmail is slower to send mail:
check if in your
/var/log/mail.errthere is this error:
yourDomainName sendmail[****]: My unqualified host name (yourDomainName) unknown; sleeping for retry
To solve this issue, open your hosts file with vim or your favorite editor:
$ sudo vim /etc/hosts
and change the first line like this:
127.0.0.1 localhost localhost.localdomain yourDomainName
and save it!
2: How to get an email alert on a SSH login using sendmail and PAM:
A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface(API).
tl;dr PAM handles authentication for multiple services on Linux OS.
Each PAM-aware software creates a file in the
/etc/pam.d/. Such file controls how PAM will treat new connections and which rules follow for authentication: in our case, openSSH server produces the file
We can use this file to set up a script that would run whenever a login happens via ssh.
Shell Script that sends alerts with sendmail at login
Let’s create our script, you are free to choose where to locate your script but here there is some tips:
- create a new folder in
$ sudo mkdir /etc/pam.scripts
- set folder’s permissions to
$ sudo chmod 0755 /etc/pam.scripts
- create our script:
$ sudo touch /etc/pam.scripts/ssh_alert.sh
- for security reasons, you should allow just root user to write and exec the script:
$ sudo chmod 0700 /etc/pam.script/ssh_alert.sh
$ sudo chown root:root /etc/pam.scripts/ssh_alert.sh
now use your favorite editor to edit the file and copy and paste this:
This is the final step — I know, finally 😄 — we are going to add a line at the end of
# SSH Alert script
session required pam_exec.so
(don’t forget to make sure that your script is executable)
Now, you can just log in via ssh to check if the alert works!
You won’t need to restart any services, so just have fun!
If you want to know more about PAM, I’d suggest you to check these links:
When a PAM aware privilege granting application is started, it activates its attachment to the PAM-API. This activation…linux.die.net
Originally published at alessandrocudazzo.it on February 15, 2018.