SSH login alert with sendmail and PAM

One thing, that usually come first when you setup a Virtual Private Server (VPS) is security and enabling ssh exposes you to some hack activity! Yep, internet can be a wild and scary place sometimes!

Image for post
Image for post
Internet can be a wild and scary place sometimes!

An email alert, when someone logs in to your server via ssh, can be pretty useful to track who is actually using your server! But Keep in mind that this trick is not enough to secure your server! And here you are more useful basic advices before seeing how to set up our SSH alert:

Layered security is the key!

  • Disable SSH login for root user

Now let’s go back to the main topic, the article will be divided into 2 part:

  1. Setup and get sendmail ready;

1: Setup and get sendmail ready:

Sendmail is an MTA (mail transfer agent) that supports many kinds of mail-transfer and delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over the Internet.

On my VPS I use Debian 9, so let’s see how to setup sendmail:

Installation:

$ sudo apt-get install sendmail//check your installation folder
$ sudo which sendmail
//output: /usr/sbin/sendmail
//check if sendmail is running
$ ps -xa | grep sendmail | grep -v grep
//output: 2503 ? Ss 0:00 sendmail: MTA: accepting connection

now, we can test sendmail using this command:

$ echo "Subject: test" | sudo sendmail -v your@email.com//usually mail delivery always happens in background but with -v options you will enable verbose logging for debugging purposes.

Troubleshooting:

Image for post
Image for post
Don’t be depressed like Marvin, you may find your answer here!

If you encounter some issues, chances are that the answer to your problems are in /var/log/mail.err .

  • Make sure that no other application is interferring with sendmail:
    other mail services/agent could interfere with sendmail. Check if any of sendmail’s default ports are in use by other applications with:
    sudo netstat -tulpn | grep -E -w '25|587'
    If you get any results please remove/stop the application running on that port.

2: How to get an email alert on a SSH login using sendmail and PAM:

A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface(API).
tl;dr PAM handles authentication for multiple services on Linux OS.

Image for post
Image for post
Let’s go and get our alert!

Each PAM-aware software creates a file in the /etc/pam.d/. Such file controls how PAM will treat new connections and which rules follow for authentication: in our case, openSSH server produces the file /etc/pam.d/sshd.
We can use this file to set up a script that would run whenever a login happens via ssh.

Shell Script that sends alerts with sendmail at login

Let’s create our script, you are free to choose where to locate your script but here there is some tips:

  1. create a new folder in /etc/pam.scripts :
    $ sudo mkdir /etc/pam.scripts

now use your favorite editor to edit the file and copy and paste this:

Configuring /etc/pam.d/sshd

This is the final step — I know, finally 😄 — we are going to add a line at the end of /etc/pam.d/sshd

...
# SSH Alert script
session required pam_exec.so /etc/pam.scripts/ssh_alert.sh

(don’t forget to make sure that your script is executable)
Now, you can just log in via ssh to check if the alert works!
You won’t need to restart any services, so just have fun!

Image for post
Image for post
Image for post
Image for post
Good job! And see you next!

Originally published at alessandrocudazzo.it on February 15, 2018.

Written by

computer engineering student @Unipisa science and engineering lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store