Skip to main content
Menu
Monitor and Alert SSH Login Activty | Cheatsheets
Monitor and Alert SSH Login Activty

Monitor and Alert SSH Login Activty

September 3, 2021
linux, mail
devops, monitoring

Edit sshrc file #

vi /et/ssh/sshrc

Add following lines

ip=`echo $SSH_CONNECTION | cut -d " " -f 1`

logger -t ssh-wrapper $USER login from $ip

echo "User $USER just logged in from $ip" | mail -s "[ATTENTION] $USER Just logged in from $ip" your-email@your-domain.com 

img

Monitor your ssh authorized_keys changes #

create notify.sh script file and add following code of lines

#!/bin/bash

[[ -z `find /home/ubuntu/.ssh/authorized_keys -mmin -1` ]]

if [ $? -eq 0 ]
then
    echo -e "nothing has changed"
else
    echo "Recently authorized_key file has been changed" | mail -s "[ATTENTION] Your server authorized_key file recently updated" your-email@your-domain.com 
fi

Adding Notify.sh script into cron job #

crontab -e

add your script that run every minutes

* * * * * /path/of/your/notify.sh > /dev/null

img