As part of your security auditing, especially if the server is exposed to the internet, you should have an email configured to be sent to you in the event a user shells into the server. This will give you a clear indication the server has been compromised if you are not expecting a login event. There are two components to setting this up, both straight forward, first is to configure the server for SMTP handling, the other is to configure the profile to action based on event.
1. Log into the server
2. Install Exim4
apt-get install exim4
3. Elevate to root
su - root
4. Reconfigure mail
Select “mail sent by smarthost; no local mail”
Enter FQDN of local serverEnter “127.0.0.1 space ; space <server IP address>” eg: 127.0.0.1 ; 192.168.0.1Enter the FQDN of the local server againEnter the domain name you are sending fromEnter the smart host uplink provider you require sending the email through (this can be local or external)Select “No”Select “No”5. Edit /home/<username>/.bashrc
6. Add the following to the end of the file
echo 'ALERT SSH access on server "<server>":' `date` `who` | mail -s "Alert: <username> Access from `who | cut -d"(" -f2 | cut -d")" -f1`" [email protected]
Change <server> to the local servername, change <username> to the username you are monitoring and “[email protected]” to the email address you want the alerts to be sent to.
Test by shelling to the server
Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.