-
Notifications
You must be signed in to change notification settings - Fork 0
/
ssh_email_alert.sh
executable file
·78 lines (74 loc) · 1.59 KB
/
ssh_email_alert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/bin/sh
SUBJECT="[$(hostname)] SSH notification: successful login from IP ${PAM_RHOST}"
BODY="$(cat <<EOF
<html>
<head>
<style>
body {
font: small/ 1.5 Arial,Helvetica,sans-serif;
padding: 15px;
}
h1,h2,h3,h4,h5,h6 {
font: small/ 1.5 Arial,Helvetica,sans-serif normal;
}
a {
color: #15c;
cursor: pointer;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
table {
font-size: small;
}
.whois {
display: inline-block;
font-family: monospace;
line-height: 1.3em;
word-spacing: .01em;
word-wrap: break-word;
padding: 15px;
background-color: #f5f5f5;
border: 1px solid #e3e3e3;
box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
}
.key {
color: #76808f;
text-align: right;
padding-right: 5px;
}
</style>
</head>
<body>
<h1>SSH Login successful</h1>
<p>The following user signed to your server via SSH, please review the information below:</p>
<div>
<table>
<tr><td class="key">User:</td><td>${PAM_USER}</td></tr>
<tr><td class="key">IP Address:</td><td>${PAM_RHOST}</td></tr>
<tr><td class="key">Service:</td><td>${PAM_SERVICE}</td></tr>
<tr><td class="key">Time:</td><td>$(date +'%Y-%m-%d %T (%Z)')</td></tr>
</table>
</div>
<div>
<h3>Whois information</h3>
<div class="whois">
$(whois "${PAM_RHOST}" | awk '{print $0"<br>"}')
</div>
<p>If you don't recognize this activity, your server might be compromised.</p>
</div>
</body>
</html>
EOF
)"
if [ "${PAM_TYPE}" = "open_session" ]; then
( cat <<EOF
Subject:${SUBJECT}
To:${EMAIL_RECIPIENTS}
Content-Type: text/html
${BODY}
EOF
) | /usr/sbin/sendmail -t
fi
exit 0