Root access alert

[andrewlondon]

I'm trying to set up the root access alert that Greg mentions in the VPS security thread but it isn't working.

This is what i've entered into the .bash_profile file

"echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com"

The thing is when i log in with ssh it says

"mail: option requires an argument --s"

What am i entering wrong?

Thanks

[rainboy]

andrewlondon,

The first quote and the last quote ("echo and .com") should not be there, but maybe you did put that in to clarify.

I use the following (which further as that looks exactly the same:

echo 'MYSERVERNAME WARNING - Root Shell Access on:' `date` `who` | mail -s "Warning: Root Access from `who | awk '{print $6}'`" myuser@smydomain.com

I dont get the error of -s maybe it wants you to remove the space between the -s and the quote.

Kindest regards,
Patrick

[JPC-Greg]

That should be it, I dont get any complaints when running that. Try just pasting the comment into the command line and hit enter, see if it complains.

[andrewlondon]

That should be it, I dont get any complaints when running that. Try just pasting the comment into the command line and hit enter, see if it complains.

Do you mean this bit
mail -s "Warning: Root Access from `who | awk '{print $6}'`"

?

It just sits there when i enter that?

[andrewlondon]

Right that's working but it emails the following

ALERT - Root Shell Access on: Thu Jun 22 14:28:29 BST 2006 root ttyp4 Jun 22 13:49 (:ttyp0:S.1)

Shouldn't it give me an IP?

[rainboy]

The command:

who | awk '{print $6}'

Should give you the IP address, try to issue the 'who' command alone on your shell it should give output like:
root pts/1 Jun 22 15:19 YOURIPADDY-or-HOSTNAME

As you can see the 6th position is : YOURIPADDY-or-HOSTNAME

This is what the AWK does, cut the 6the field of the output of WHO

If this is showing something else, it will show just that. Maybe someone is logged on as root on the console ?

Kindest regards,
Patrick

[andrewlondon]

Well i logged out and have logged back in. The server has sent me and email but it doesn't show anything. It just says there has been root access. It doesn't tell me the i.p or hostname.

Also, since i logged out and back in the who command isn't doing anything. :-/

[rainboy]

You might run into a bug:

Its a bug in centos 4.x release (redhat enterprise 4x). The fix is to activate UseLogin yes in sshd_config.

You have to restart sshd afterwards to make it active.

Kindest regards,
Patrick

[andrewlondon]

You might run into a bug:



You have to restart sshd afterwards to make it active.

Kindest regards,
Patrick

I apreciate all the help you're giving me but i've just restarted sshd and this is what it emails me

ALERT - Root Shell Access on: Thu Jun 22 15:18:09 BST 2006
It's driving me

I was under the impression that it should send me the users I.P address?

[rainboy]

Yes it should, did you add the : Uselogin yes in your sshd config file before restarting SSHD ?

Otherwise ask support for a quick look on your system. Its common that on some OS'es the WHO function is not working correctly, but should be fixed by above command.

I would however suggest not to just use any 'script' someone provides if you do not know what it is doing exactly.

Kindest regards,
Patrick

[andrewlondon]

Brilliant. That's worked. Editing the sshd_config file then restarting has fixed the problem.

One thing, seeing as i've edited the motd, it would be a good idea to get the system to email an external account rather than one hosted on the server wouldn't it?

[andrewlondon]

I would however suggest not to just use any 'script' someone provides if you do not know what it is doing exactly.

I'm not that silly. The only script i have running on my VPS is oscommerce. Nothing else is going on there. I thought i could trust what greg was telling me to do in the security thread.

One thing, is telnet cpanel specific because the instructions to disable it aren't working on my setup?

Regards

[rainboy]

Of course it is of best practise to send the mail to an off-server account. But, if someone logs in as root on your server, i think all mails will be to late for you, it only will tell you someone got in, and you have to reinstall the server.

I don't understand your question about telnet, telnet is a protocol just like ssh only *NOT* secure as it authenticates in plain-text with the server, it is usually bound to port 23 on the server. New installations in general do not have telnet installed anymore.

You can check if telnet is listening at port 23 by issuing the following command

netstat -l | grep -E "telnet|23"

explanation:
netstat -l shows all ports where the server listens on.
grep -R "telnet|23" will filter all lines with either telnet or 23 in it.

Why checking on telnet or 23, well if telnet is defined in the services file it will show in the netstat output as hostname:telnet instead of hostname:23 in this case you will filter both out and are sure its at least not running on port 23.

Kindest regards,
Patrick

[Connie]

I didn't think Jag allowed telnet anymore because of the security problems. I thought SSH was the only protocol allowed.

[rainboy]

Like i said.. "New installations in general do not have telnet installed anymore." but never hurts to double check