Whenever we install, configure, and secure Linux servers in a production environment, it’s crucial to keep track of what is happening on the servers and who logs into them, especially concerning server security.
Why? Because if someone logs into the server as the root user using brute force tactics over SSH, then think about how they will destroy your server.
Any user who gains root access can do whatever they want. To block such SSH attacks, read our following articles that describe how to protect servers from such attacks.
- 5 Best Practices to Prevent SSH Brute-Force Login Attacks in Linux
- Use Pam_Tally2 to Lock and Unlock SSH Failed Login Attempts
- 5 Best OpenSSH Server Best Security Practices
So, it’s not a good practice to allow direct root login via SSH session, and recommend creating non-root accounts with sudo access. Whenever root access is needed, first log in as a normal user and then use ‘su‘ to switch over to the root user.
To disable direct SSH root logins, follow this article, which shows how to disable and limit root logins in SSH.
However, this guide demonstrates a simple method to receive email alert notifications when someone logs in as root or a normal user. It should send an email alert notification to the specified email address, along with the IP address of the last login.
Therefore, once you identify the IP address of the last login made by an unknown user, you can block SSH login from that particular IP address using the Firewall rule as shown.
Using iptables:
sudo iptables -A INPUT -s <IP_Address> -p tcp --dport ssh -j DROP
Using firewalld:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<IP_Address>" port protocol="tcp" port="22" reject' sudo firewall-cmd --reload
Using UFW (Uncomplicated Firewall):
sudo ufw deny from <IP_Address> to any port 22 sudo ufw reload
How to Set SSH Login Email Alerts in Linux Server
To carry out this tutorial, you must have root level access on the server and a little knowledge of nano or vi text editor and also mailx (mail client) installed on the server to send the emails.
Depending upon your Linux distribution you can install mailx client using one of the following commands.
sudo apt install mailutils [On Debian, Ubuntu and Mint] sudo yum install mailx [On RHEL/CentOS/Fedora and Rocky/AlmaLinux] sudo emerge -a sys-apps/mailx [On Gentoo Linux] sudo apk add mailx [On Alpine Linux] sudo pacman -S mailx [On Arch Linux] sudo zypper install mailx [On OpenSUSE] sudo pkg install mailx [On FreeBSD]
Set SSH Root Login Email Alerts
Now login as the root user and go to the root’s home directory by typing the cd /root command.
cd /root
Next, add an entry to the .bashrc file, this sets local environment variables for the users and does some login tasks. For example, here we setting an email login alert.
Open the .bashrc file with either the vi or nano editor. Please remember that .bashrc is a hidden file; you won’t see it by using the ls -l command. You have to use the -a flag to see hidden files in Linux.
vi .bashrc or nano .bashrc
Add the following line at the bottom of the file. Make sure to replace ‘ServerName‘ with the hostname of your server and change ‘[email protected]‘ to your email address.
echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" [email protected]
Save and close the file, logout, and log back in.
Once you log in via SSH, a .bashrc file is executed by default and sends you an email alert for root login as shown.
Sample Email Alert:
ALERT - Root Shell Access (Database Replica) on: Thu Nov 28 16:59:40 IST 2023 tecmint pts/0 2023-11-28 16:59 (172.16.25.125)
Set SSH Normal User Login Email Alerts
Log in as a normal user (tecmint) and go to the user’s home directory by typing the cd /home/tecmint/ command.
cd /home/tecmint
Next, open .bashrc file and add the following line at the end of the file. Make sure to replace values as shown above.
echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" [email protected]
Save and close the file, log out, and log in again. Once you login back again, a .bashrc file is executed and sends you an email address of the user login alert.
This way you can set an email alert for any user to receive login alerts. Just open the user’s .bashrc file which should located under the user’s home directory (i.e. /home/username/.bashrc) and set the login alerts as described above.
