When dealing with potential security breaches on CentOS/RHEL systems, real-time notification of user logins becomes critical. Unlike periodic log reviews, immediate alerts allow for swift response to unauthorized access attempts.
The Pluggable Authentication Modules (PAM) system provides the most reliable method for capturing all login attempts:
# Create notification script
sudo tee /usr/local/bin/login-alert.sh <<'EOF'
#!/bin/bash
echo "Login alert for user: $PAM_USER" | mail -s "Login Alert on $(hostname)" admin@example.com
echo "User: $PAM_USER logged in from: $(echo $SSH_CONNECTION | awk '{print $1}') at $(date)" >> /var/log/login-alerts.log
exit 0
EOF
# Make script executable
sudo chmod +x /usr/local/bin/login-alert.sh
# Configure PAM
sudo tee /etc/pam.d/login-alert <<'EOF'
#%PAM-1.0
session optional pam_exec.so /usr/local/bin/login-alert.sh
EOF
For more comprehensive auditing:
# Install auditd if not present
sudo yum install audit -y
# Configure audit rules
sudo tee -a /etc/audit/rules.d/login.rules <<'EOF'
-a always,exit -F arch=b64 -S execve -F path=/usr/sbin/sshd -F success=1 -k sshd_exec
-w /var/log/secure -p wa -k sshd_log
EOF
# Restart auditd
sudo service auditd restart
This improved version captures more connection details:
#!/bin/bash
IP=$(echo $SSH_CONNECTION | awk '{print $1}')
HOSTNAME=$(hostname)
DATE=$(date "+%Y-%m-%d %H:%M:%S")
MAIL_BODY="Alert: $PAM_USER logged in to $HOSTNAME
Time: $DATE
IP Address: $IP
Terminal: $PAM_TTY"
echo "$MAIL_BODY" | mail -s "Security Alert: Login on $HOSTNAME" admin@example.com
After implementation, test the setup by:
- Creating a test SSH session
- Checking mail logs:
sudo tail -f /var/log/maillog - Verifying audit logs:
sudo ausearch -k sshd_exec | aureport
For high-traffic systems, consider:
- Using a local mail transfer agent like postfix
- Implementing rate limiting in the alert script
- Logging to a dedicated file rather than sending emails for every event
When administering CentOS/RHEL servers, immediate notification of user logins becomes crucial for security monitoring. Traditional logwatch provides daily reports, but real-time alerts enable faster incident response.
The Pluggable Authentication Modules (PAM) system offers direct hook capabilities. Create /etc/pam.d/login-alert:
#%PAM-1.0 auth required pam_exec.so /usr/local/bin/login-alert.sh
Then create the alert script /usr/local/bin/login-alert.sh:
#!/bin/bash
[ "$PAM_TYPE" = "open_session" ] || exit 0
{
echo "User: $PAM_USER"
echo "Remote Host: $PAM_RHOST"
echo "Service: $PAM_SERVICE"
echo "TTY: $PAM_TTY"
echo "Date: $(date)"
} | mail -s "Login Alert: $PAM_USER@$(hostname)" admin@example.com
Configure rsyslog to monitor auth.log and trigger emails:
# /etc/rsyslog.conf
module(load="ommail")
template(name="loginmail" type="string" string="%msg%\nFrom: %fromhost-ip%")
if ($msg contains 'session opened for user') then {
action(type="ommail" server="mail.example.com" port="25"
mailfrom="alerts@example.com"
mailto="admin@example.com"
subject="Login Alert"
template="loginmail")
}
For more detailed tracking, use auditd:
# /etc/audit/rules.d/logins.rules -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins
Then create a custom alert script for auditd events:
# /etc/audit/rules.d/alert.conf action_mail_acct = admin@example.com
Configure fail2ban to send alerts on successful logins:
# /etc/fail2ban/jail.local [sshd] enabled = true action = %(action_mwl)s
After implementing any solution, test with:
ssh localhost tail -f /var/log/mail.log
For auditd solutions verify with:
ausearch -k logins