How to Get Root and User SSH Login Email Alerts?


Secure Shell (SSH) is a widely used protocol for securely connecting to remote systems over unsecured networks. It provides a secure channel for communication between two systems, allowing users to execute commands and manage files on remote machines without the risk of eavesdropping, tampering, or identity theft.

However, despite its strong security features, SSH is still vulnerable to attacks from cybercriminals who seek to exploit weak passwords, unpatched software vulnerabilities, or misconfigured permissions. Therefore, it's essential to take proactive measures in order to secure your SSH access.

Setting up Email Alerts for Root Login

Exploring the Necessary Software

Before setting up email alerts for root login, it is essential to install and configure the appropriate software. Two popular options are Logwatch and Rsyslog. Logwatch is a Linux log analysis tool that can scan system logs and send daily summaries via email, including information on root logins.

Rsyslog is a more powerful logging system that allows for filtering and forwarding of log messages. To install Logwatch on Ubuntu or Debian-based systems, open a terminal and type −

sudo apt-get update sudo apt-get install logwatch 

For Rsyslog, use the following commands −

sudo apt-get update 
sudo apt-get install rsyslog 

Once installed, you will need to configure these tools to send email alerts for root login attempts.

Configuring Email Alerts for Root Login

To set up email alerts for root login attempts using Logwatch −

  • Open the configuration file /etc/cron.daily/00logwatch with your preferred text editor.

  • Locate the line that reads "Output = stdout" and change it to "Output = mail".

  • Find the line that reads "Mailto =" and add your email address after the equal sign.

  • Save the changes to the file.

With this configuration in place, you should now receive daily emails containing summaries of all root login attempts on your system.

For Rsyslog users, follow these steps −

  • Create a new file in /etc/rsyslog.d/ called 50-root.conf (or another name of your choosing).

  • Add this line to the file −

authpriv.* /var/log/rootlogin.log 

This will create a new log file in /var/log/ specifically for tracking root login attempts.

  • To forward these messages via email, add the following lines to the end of the file −

$ModLoad ommail 
$template mailSubject,"[ROOT LOGIN] %msg%" 
$template mailBody,"%msg%" 

Make sure to replace "" with your actual email address.

  • Save the changes and restart rsyslog with the command −

sudo service rsyslog restart 

With these steps completed, you should now receive email alerts whenever a root login attempt is made on your system. To further filter and customize these alerts, refer to the documentation for Logwatch or Rsyslog.

Setting up Email Alerts for User Login

Creating a Custom Script

To set up email alerts for user login, you will need to create a custom script that will monitor the system logs and send an email alert when a user logs in. One way to do this is by using the Bash scripting language. Here's an example of a simple Bash script that will check for successful logins and send an email alert −

grep "Accepted" $LOGFILE | grep -v "sudo" | awk '{print $1,$2,$3,$9}' | 
while read DATE TIME HOST USER do 
echo "User $USER logged in at $TIME on $DATE from $HOST" | mail -s "SSH Login Alert for User: $USER" $EMAIL 

This script checks the /var/log/auth.log file for successful login attempts, excluding those made through sudo.

It then formats the output into an email message including the user, date, time, and host information. It sends that message as an email to your specified address.

Formatting Options

There are many options available to customize your email alert messages. For example, you could include additional information such as the IP address of the client machine or the number of failed login attempts made by a particular user.

You can also modify the subject line to include more details or even use conditional statements to vary the formatting based on certain criteria. Here's another example of a Bash script that uses conditional statements to format emails differently depending on whether a login attempt was successful or not −

EMAIL="" grep "sshd.*session opened" "$LOGFILE" | awk '{print $1,$2,$3,$11}' | 
while read DATE TIME HOST USER do 
if [[ "$USER" != "root" ]] then 
echo "User $USER logged in as a non-root user at $TIME on $DATE from $HOST." | mail -s "SSH Login Alert for User: $USER (Non-Root)" "$EMAIL" 
else echo "Root user logged in at $TIME on $DATE from host: $HOST." | 
mail -s "SSH Login Alert for User: Root" "$EMAIL" fi 

This script checks the auth.log file for successful login attempts and formats the output differently depending on whether it was a root user or a non-root user.

It sends an email with the appropriate message and subject line to your specified email address. With these examples in mind, you can customize your own script to fit your specific needs and preferences.

Advanced Topics

Setting up Multiple Email Addresses

To further improve security and ensure that all alerts are seen by the right people, you may want to consider setting up multiple email addresses for notifications. For example, alerts for successful root logins could be sent to the system administrator, while failed user login attempts could be sent to the help desk team.

This not only enables quicker response times but also helps in identifying potential threats earlier on. One way to achieve this is through configuring filters within your alerting software to forward specific types of alerts to specific email addresses or groups.

This can be done by modifying configuration files or using GUI-based tools provided by the software. By taking this advanced step, it creates an extra level of security for your systems, ensuring that all necessary parties are notified in real-time when any suspicious activity occurs.

Configuring Different Alert Levels Based on Severity of Login Attempts

There are different levels of severity when it comes to SSH login attempts. For instance, a single failed login attempt might not warrant an immediate response, whereas multiple failed login attempts in quick succession could indicate a brute force attack and require immediate attention.

To handle these different scenarios effectively, you need to configure different alert levels based on the severity of login attempts. In order to accomplish this task, you can use various techniques such as configuring different filters and scripts that monitor log files and trigger corresponding alerts based on predefined rulesets.


SSH (Secure Shell) is a crucial tool for remotely accessing and managing servers. However, it also presents a significant security risk if not used correctly. Unsecured SSH access can allow attackers to gain unauthorized access to your system and wreak havoc on your server environment.

Implementing email alerts for root and user logins is a straightforward process that can be accomplished with either built-in Linux tools or third-party software. By following the steps outlined in this article, you can easily configure your system to send email notifications whenever there is an attempted login on your server.

Once implemented, these email alerts provide an additional layer of security to keep your servers protected from unauthorized access attempts. By staying vigilant and monitoring these logs closely, you can quickly identify any suspicious activity and take appropriate action before any real damage occurs.

Updated on: 06-Jun-2023


Kickstart Your Career

Get certified by completing the course

Get Started