Email on successful login

Published: 17 december 2011 | Category: Hints, Security | Labels: , , | Short url » | Be the first to comment! »

If you have a server that you know nobody really should login to, it can be a good idea to track the few logins the server gets. I have done this on my OpenBSD router by telling /etc/profile (who runs on every login) to send me an email about every successful login. The line I added to /etc/profile looks like this:

echo -e ”Login on `hostname` `date` \n\n# w $(whoami)\n`w $(whoami)` \n\n# who -HTu\n`who -HTu`” | mail -s ”Login on `hostname` as (`whoami`)” root

What this do is that it collect some useful information about the user that has just logged in and sends an email to the root user. If you do not have set up an alias for the user it is possible to change ”root” in the command above to an email address. The email will look like:

Subject: Login on gw.localdomain as (username)

Login on gw.localdomain Sat Dec 17 12:04:17 CET 2011

# w username
12:04PM  up  2:37, 1 user, load averages: 0.40, 0.77, 0.90
USER    TTY FROM              LOGIN@  IDLE WHAT
username   p0 192.168.0.22    12:04PM     0 w username

# who -HTu
USER     S LINE     WHEN         IDLE    FROM
username   + ttyp0    Dec 17 12:04   .     (192.168.0.22)


Leave a comment!