Simple couple of string on high critical servers that could save your ass .
add to root or your user .bash_profile following string:
echo $SSH_CONNECTION | sed 's/\(.*\) \(.*\) \(.*\) \(.*\)/ Remote root ssh login detected from \1:\2 to '"`hostname`"' IP \3 Port \4/' | mail -s "Remote root ssh login warning" your@email.com
Instead of email you can put your phone_number@your_operator.sms.gateway - and get sms like this:
almost immediately after root user login.
Stay informed!
add to root or your user .bash_profile following string:
echo $SSH_CONNECTION | sed 's/\(.*\) \(.*\) \(.*\) \(.*\)/ Remote root ssh login detected from \1:\2 to '"`hostname`"' IP \3 Port \4/' | mail -s "Remote root ssh login warning" your@email.com
Instead of email you can put your phone_number@your_operator.sms.gateway - and get sms like this:
Remote root ssh login detected from 10.1.1.148:65308 to my.server.com IP 141.1.1.107 Port 22
almost immediately after root user login.
Stay informed!
No comments:
Post a Comment