Send Email Notification after a SSH Login

  • Posted on August 9, 2017

GeekThis happily runs on Vultr. Get $300 of free hosting credits to try out their cloud compute, kubernetes engine, or managed databases. Try Vultr today to claim your free $300.

Setting up e-mail notifications and alerts when a user signs in through SSH requires a shell script and a small modification to PAM. Keep in mind that if you’re setting up this alert for security, then you probably want to look at locking down your system first and securing all of your services instead of just receiving alerts. This notification can be useful as an extra alert for logins, but don’t rely on it as a security feature because you won’t always be monitoring your e-mail, and once an attacker signs into your server, it’s too late.

This tutorial was tested on a Debian Stretch server using EXIM as the MTA and using the mail command from GNU Mailutils. Depending on your current Linux distribution and the services you have installed, the tutorial may vary slightly and require additional modifications.

Creating the Shell Script

The first part of this tutorial is to create a shell script that will send an e-mail. Since we are integrating the script with PAM, there are a few environment variables provided by pam_exec we have access to which will be useful to include in the e-mail. This script assumes you have EXIM configured to send outgoing e-mails. Slight modifications may be required if you are using Sendmail, Postfix, or any other MTA.

#!/bin/sh

EMAIL_TO="sysadmin@example.com"
EMAIL_FROM="ssh-alert@server1.example.com"

SUBJECT="SSH Login Notification"

MESSAGE="
A user signed into your server through SSH.
-------------------------------------------
Username: ${PAM_USER}
IP Address: ${PAM_RHOST}"

if [ ${PAM_TYPE} = "open_session" ]; then
	echo "${MESSAGE}" | mail -n -r "${EMAIL_FROM}" -s "${SUBJECT}" "${EMAIL_TO}"
fi

exit 0

Once your script is created, be sure to set the permissions of the script to be executable and only allow the root user to edit the file. Creating the directory /etc/pam_scripts is a nice location to store all custom scripts you add to PAM, some users opt to store the scripts directly in the /etc/pam.d folder. To test your script from the command line, you will want to comment out the if statement around the mail command by prefixing the lines with the pound symbol. Test your script and make sure you receive the e-mail notification. The test e-mail will be void of values for the username and IP address because those environment variables are not set and will only be available when PAM runs the script.

Configuring PAM

Now it’s time to configure PAM to run the script you created. By default, OpenSSH creates the file /etc/pam.d/sshd, and you will need to edit the file to include the location of the script above. Open /etc/pam.d/sshd with your favorite editor as root (nano, vim, etc) and add the following lines to the configuration file.

# Login Email Notification
session required pam_exec.so /etc/pam_scripts/login-email-notification.sh

There is no need for a system or service restart for the script to start running after authentication. There is a lot of additional information you should read about Running Scripts after Authentication along with additional troubleshooting techniques, script and file permissions, and why using PAM is better than other techniques.

Troubleshooting

If you are running into problems with receiving an e-mail notification after a user signs in through SSH, some of the below solutions may help you out. First, you want to make sure your script is set as executable. Run the command chmod +x <script> to set the shell script to be executable.

The problem could also exist if you don’t have a MTA or your MTA doesn’t provide the sendmail command that mail from GNU Mailutils uses to send messages. First look into the log file for your MTA and check for any issues. If nothing stands out, consider changing the shell script from using the mail command to sendmail.

If your script runs fine by itself but fails to run when signing in through SSH, you will want to look at the post “Running Scripts after SSH Authentication” and follow those troubleshooting techniques. It could also be useful to read through the article even if you don’t have any issues to confirm all modifications you made to PAM and your sshd_config file are correct.

Related Posts

Protecting your OpenSSH Server

Learn how to harden your OpenSSH server to limit abuse and protect against unauthorized users. Change these few configuration options to secure your SSH server.

SSH into Multiple Servers using MultiSSH

Learn about the interesting tool MultiSSH (MSSH) that allows you to connect to multiple SSH servers and run the same command on all of them simultaneously.

How to Run Scripts after SSH Authentication

Learn how to run scripts automatically after a user signs in through SSH or any other authentication service on your server that uses the Pluggable Authentication Module PAM.

Automatically Start Docker Container

Automatically start Docker containers when your server or computer boots using restart policies and avoiding systemd service files.