Skip to main content

Design an Email Notification on User Login via SSH

Hands-On Lab

 

Photo of

Training Architect

Length

00:30:00

Difficulty

Intermediate

The topic of this lab is notifications. The goal is to design a notification system that will send a notification by email every time a user logs in via SSH. This is a good way to notify us of malicious activity.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Design an Email Notification on User Login via SSH

Introduction

The topic of this lab is notifications. The goal is to design a notification system that will send a notification by email every time a user logs in via SSH. This is a good way to notify us of malicious activity.

Connecting to the Lab

  1. Begin by logging in to the lab server using the credentials provided on the hands-on lab page.

    ssh cloud_user@PUBLIC_IP_ADDRESS

Install EPEL Repos, sendemail, python36, python36-devel

  1. Install the EPEL repos.

    sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
  2. Install Python.

    sudo yum install python36 python36-devel
  3. Install the ability to send email.

    sudo yum install sendemail

Test Sending out an Email

  1. Test the ability to send email. Make sure to replace the [CAPITALIZED] fields with appropriate values.

    sendemail -f [FROM_EMAIL] -u 'AUTH_NOTIFICATION' -t [TO_EMAIL] -s smtp.gmail.com:587 -o tls=yes -xu [GMAIL_USER_NAME] -xp [GMAIL_PASSWORD] -m "This is a test message"
  2. Verify the email is delivered.

Write a Script to Send an Email with the Time Stamp and Username upon SSH Login

  1. Install vim.

    sudo yum install vim
  2. Create a script for sending email.

    vim /home/cloud_user/onLogin.py
  3. Copy the following text into the script file. Make sure to replace the [CAPITALIZED] fields with appropriate values.

    #!/bin/python3.6
    
    import subprocess
    import time
    import getpass
    from datetime import datetime
    
    msg = "#########################nTIME: " + datetime.now().strftime('%Y-%m-%d %H:%M:%S') + "nUSER: " + getpass.getuser() + "nWAS AUTHENTICATEDn#########################n"
    
    subprocess.check_output(['sendemail', '-f', '[FROM_EMAIL]', '-u', 'SCAN_NOTIFICATION', '-t', '[TO_EMAIL]', '-s', 'smtp.gmail.com:587', '-o', 'tls=yes', '-xu', '[GMAIL_USER_NAME]', '-xp', '[GMAIL_PASSWORD]', '-m', msg], stdin=None, stderr=None, shell=False, universal_newlines=False)
  4. Save the changes and exit the editor.

  5. Change the permissions on the script.

    chmod +x onLogin.py
  6. Test the script and verify email delivery.

    ./onLogin.py

Configure SSH to Make Use of the Script

  1. Open the sshd configuration file.

    sudo vim /etc/pam.d/sshd
  2. At the end of the file, add a new line and enter the following text.

    session    optional     pam_exec.so seteuid /home/cloud_user/onLogin.py
  3. Save the changes and exit the editor.

  4. Log out.

    exit
  5. Log back in and observe the failure.

    ssh cloud_user@PUBLIC_IP_ADDRESS
  6. Examine the log files.

    sudo cat /var/log/messages | grep -i onLogin
  7. Copy the script.

    sudo cp onLogin.py /bin/
  8. Open the sshd configuration file.

    sudo vim /etc/pam.d/sshd
  9. Update the final line of the script to the following.

    session    optional     pam_exec.so seteuid /bin/onLogin.py
  1. Save the changes and exit the editor.

  2. Log out.

    exit
  3. Log back in.

  4. Verify an email notification is sent.

Conclusion

Congratulations, you've completed this hands-on lab!