Hi,
I want to set up our server so that I get emailed when someone logs in via SSH. We recently had a malicious actor get in, and I want to be more up to date if it happens again. So I have a bash script:
recipient="[email protected]"
subject="SSH Login Alert"
message="SSH login detected on $(hostname) at $(date) by user $(whoami) from $(echo $SSH_CONNECTION | awk '{print $1}')"
echo "Message: $message" >> /tmp/ssh_login_debug.log
echo "$message" | /usr/bin/mail -s "$subject" "$recipient"
and /usr/local/bin/sftp_with_notifications.sh:
#!/bin/bash
# Your email notification script
/usr/local/bin/notify_login_ssh.sh
# Execute the internal-sftp command
internal-sftp
Then in /etc/ssh/sshd_config, I have:
Match User sftp_dummy99,admin,north_admin,athertons,westbrook,bfc,saliscare,camera,brettinc,katie,costumes,marike,tessa,bob,andyadmin,directmilk,newstreet,ukraine,stats,newstree2,test,raffner,newbyhost,euprwire,george,executivethreat,machinegazette,nettlegrasp,punkindustry,ukprwire,usprwire,clickpress,octobrachia,store,accounts,willr,gcsescience,teardrop,hatlamp,ibrahim,usinglaw
ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
#ForceCommand internal-sftp
**ForceCommand /usr/local/bin/sftp_with_notification.sh**
I restart the ssh service, and then connect via SSH again. But nothing. It logs me in, but no emails
Also as a sidenote - does sshd_config get overwriten? I can see the Match User
part updates with new users, so I’m not sure if the new ForceCommand would get re-written as well?
Thanks
Andy