FacebookTwitterGoogle+

How to Get Linux Server Sends Email Alert on Root Login

»»»How to Get Linux Server Sends Email Alert on Root Login
To improve the security of the server, especially web server which exposes to the Internet and possible worldwide hackers, it’s best to enable server to automatically send a notification email to predefined email address every time someone logs in as root to the host. To configure the automatic email alert notification to a default email address on each incident of root log on on the server, use the following guide.

  1. Login to the server via SSH using as root ID.
  2. Ensure that you’re at home directory of root. The open up the .bash_profile for editing using pico or vi by typing one of the following commands at command shell line:
    pico .bash_profile
    vi .bash_profile
  3. Scroll down to the end of the file and add the following line:
    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" user@example.com

    Replace user@email.com with the actual email account address that you want to the root access alert notification been sent to. Note that you can change the text contains in the email alert too. The text starting with first ALERT is written as email body, and you can add in other info such as host name or change the wordings. The second Alert is the email title which you can change to your own too.

Now logout and login again as root, you should receive an email alert at your inbox. The security trick should works on most popular flavor of Linux such as RedHat, CentOS, Ubuntu, FreeBSD and etc.

You May Also Interested In:

By | 2016-12-09T08:39:38+00:00 December 9th, 2016|Categories: Linux|Tags: , , , , , , , |7 Comments

About the Author:

LK is a technology writer for Tech Journey with background of system and network administrator. He has be documenting his experiences in digital and technology world for over 15 years.

Connect with LK through Tech Journey on Facebook, Twitter or Google+.

  • Jon

    'who -m' makes the output much cleaner when using this on a system that has multiple users logged on…

    -m reports only hostname and user associated with stdin terminal

  • Emilio

    This works for root login or su – from a user login.

    How can I implement it that will work also for "su" only? Right now since the path will change with su instead of su – it will not send an email if someone is not using the "-" after the su. Thanks.

  • dean

    Great stuff,

    Is there a way to have the IP of the person who logs in show up?

  • Hi,

    Before finding this article, I had already started to try to implement this myself. I did basic security testing to it and I found that you can very very easily bypass this by executing the "sh" command which bypasses the "bash" command to load the shell and therefore, .bash_profile and .bashrc both get bypassed.

    Use this at your own risk and don't assume its a guarantee. Another way to possible implement such feature is to rewrite the code for openSSH and implement it directly into the code.

  • Also, it should be known that if anyone was attempting to get root access to your system, the "bash" shell probably wouldnt be loaded. They would probably go for the lower of "sh".

  • Niels

    You can also add this to /etc/profile to make this work for every login in stead of just root access.

  • we can use "last" to check login users. A script need to be write to compare different in last output and run it in cron.

Pin It on Pinterest

Share This

Share This

Share this post with your friends!