So we have already disabled direct root Login and already set password-less authentication on our Linux server. However, we need to go a step ahead and need set alerts for the root login.
Setting alerts for root account login is useful in many ways. To track when your server has been logged in. Unauthorized logins are a huge security risk that needs to be fixed.
Steps to enable Alerting for root login
- Login to the server and switch to the root user.
- Open the file
/root/.bash_profileand append the code below.
/usr/bin/echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" [email protected]
You just need to replace email@yourdomain it with your email address and you will get alerts on that email address.
Simple, isn’t it? You can try to login/switch to root user and you should get the email like this.
ALERT - Root Shell Access on: Thu Jul 23 09:42:46 UTC 2022 user pts/0 2020-07-23 09:42 (xx.xx.xx.xx)
Simple but powerful, if you know that your server is being rarely logged then you can Integrate this email with other monitoring tools such as pagerduty which will alert you on your phone when someone logs into the server.
If you are integrating with pagerduty, you will need to configure an email address on which alerts can be received and then mention the same email address in the above command.
Set up alerts for other users
Same as the root user we can set the alerts for another user as well. Let’s say you have another user justgeek.
cd /home/justgeek
sudo vi .bashrc
and append the line below.
/usr/bin/echo 'ALERT - Shell Access on user justgeek:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" [email protected]
In this article, we have Set alerts for root login as well as another user, which can alert you in real-time when someone logs into the server. And if that login wasn’t expected at that period of time you can take immediate action.
1 thought on “Set alerts for root login”