How to Get Root and User SSH Login Email Alerts?

Secure Shell (SSH) is a widely used protocol for securely connecting to remote systems over unsecured networks. It provides a secure channel for communication between two systems, allowing users to execute commands and manage files on remote machines without the risk of eavesdropping, tampering, or identity theft.

However, despite its strong security features, SSH is still vulnerable to attacks from cybercriminals who seek to exploit weak passwords, unpatched software vulnerabilities, or misconfigured permissions. Therefore, it's essential to take proactive measures to secure your SSH access by implementing email alerts for login attempts.

Setting up Email Alerts for Root Login

Installing Required Software

Before setting up email alerts for root login, install the appropriate software. Two popular options are Logwatch and Rsyslog. Logwatch is a Linux log analysis tool that can scan system logs and send daily summaries via email, including information on root logins. Rsyslog is a more powerful logging system that allows for filtering and forwarding of log messages.

To install Logwatch on Ubuntu or Debian-based systems

sudo apt-get update
sudo apt-get install logwatch

For Rsyslog, use the following commands

sudo apt-get update
sudo apt-get install rsyslog

Configuring Email Alerts for Root Login

To set up email alerts for root login attempts using Logwatch

• Open the configuration file /etc/cron.daily/00logwatch with your preferred text editor.

• Locate the line that reads Output = stdout and change it to Output = mail.

• Find the line that reads Mailto = and add your email address after the equal sign.

• Save the changes to the file.

With this configuration in place, you will receive daily emails containing summaries of all root login attempts on your system.

For Rsyslog users, follow these steps

• Create a new file in /etc/rsyslog.d/ called 50-root.conf.

• Add this line to the file

authpriv.* /var/log/rootlogin.log

This creates a new log file in /var/log/ specifically for tracking root login attempts.

• To forward these messages via email, add the following lines to the end of the file

$ModLoad ommail
$template mailSubject,"[ROOT LOGIN] %msg%"
$template mailBody,"%msg%"
authpriv.* :ommail:your@email.com;mailSubject;mailBody

Make sure to replace your@email.com with your actual email address.

• Save the changes and restart rsyslog

sudo service rsyslog restart

Setting up Email Alerts for User Login

Creating a Custom Script

To set up email alerts for user login, create a custom script that monitors system logs and sends an email alert when a user logs in. Here's an example of a Bash script that checks for successful logins and sends an email alert

#!/bin/bash
LOGFILE="/var/log/auth.log"
EMAIL="youremail@example.com"

grep "Accepted" $LOGFILE | grep -v "sudo" | awk '{print $1,$2,$3,$9}' |
while read DATE TIME HOST USER
do
    echo "User $USER logged in at $TIME on $DATE from $HOST" | \
    mail -s "SSH Login Alert for User: $USER" $EMAIL
done

This script checks the /var/log/auth.log file for successful login attempts, excluding those made through sudo. It then formats the output into an email message including the user, date, time, and host information.

Advanced Script with Conditional Formatting

You can customize email alert messages with additional information and conditional statements. Here's an example that formats emails differently based on whether the login was by root or a regular user

#!/bin/bash
LOGFILE="/var/log/auth.log"
EMAIL="youremail@example.com"

grep "sshd.*session opened" "$LOGFILE" | awk '{print $1,$2,$3,$11}' |
while read DATE TIME HOST USER
do
    if [[ "$USER" != "root" ]]
    then
        echo "User $USER logged in as a non-root user at $TIME on $DATE from $HOST." | \
        mail -s "SSH Login Alert for User: $USER (Non-Root)" "$EMAIL"
    else
        echo "Root user logged in at $TIME on $DATE from host: $HOST." | \
        mail -s "SSH Login Alert for User: Root" "$EMAIL"
    fi
done

Advanced Configuration Options

Multiple Email Recipients

To improve security and ensure alerts reach the right people, configure multiple email addresses for different types of notifications. For example, root login alerts could go to the system administrator, while user login attempts could go to the help desk team. This enables quicker response times and helps identify potential threats earlier.

Severity-Based Alert Levels

Configure different alert levels based on the severity of login attempts. A single failed login might not warrant immediate response, whereas multiple failed attempts in quick succession could indicate a brute force attack requiring immediate attention. Use filtering techniques and scripts that monitor log files and trigger corresponding alerts based on predefined rulesets.

Conclusion

Implementing email alerts for SSH root and user logins provides an essential security layer for your systems. By using tools like Logwatch, Rsyslog, or custom scripts, you can monitor login attempts and receive immediate notifications of suspicious activity. This proactive approach helps identify potential security threats before they cause damage to your server environment.