Get logged ssh user name and ip inside /etc/profile to send mail

gabogabans

1/17/24, 2:12 PM

I added the following code at the end of /etc/profile file, in order to send a mail through mailgun with info on user and ip connected, it sends the mail but I don't know how to get ssh user name and ip of origin?

Also is there a possibility of not being able to log in ssh if the method in /etc/profile fails

And another question: right now it sends mail on succesfull login (afaik), is it possible to also send mail when login fails?

#!/bin/bash
##This script sends a mail on succesful shh login

if [ -n "$SSH_CLIENT" ]; then

TEXT="$GET_USER_NAME_AND_IP"

curl -s --user 'api:key-xxxxxxd3e1bd13c13cbxxxxxx' https://api.eu.mailgun.net/v3/mydomain.com/messages -F from='Server Notification <postmaster@mydomain.com>' -F to='myadminmail@gmail.com' -F subject="New SSH login detected" -F text=TEXT

fi

Thanks in advance

122

1 + 1

20.04

Organic Marble

1/17/24, 5:27 PM

netstat -tu will get you the connection's IP, but I don't know how to tie that back to a user name.

Score:1

Ubuntu

netbat

1/17/24, 7:42 PM

Successful login

Try this bash script to get user name and user IP address. It is example only, you can modify it as needed. Works only for logged-in users.

#!/bin/bash

if [ -n "$SSH_CLIENT" ]; then
  SSHIP=$(echo $SSH_CLIENT | cut -f 1 -d ' ')
  SSHUSER=$(w | grep "$SSHIP" | cut -f 1 -d ' ')
  echo -e " USER=$SSHUSER \n IP=$SSHIP"
  # curl and next commands may be placed here ...
fi

!!! Note that the script only works well with at most one ssh connection !!!

For multiple concurrent connections, it would need to be modified, it would become more complex.

Unsuccessful login

Failed SSH log-in attempts you can find in the '/var/log/auth.log' file.

Here is example how to list unsuccessful SSH attempts:

grep -i "ssh" /var/log/auth.log | grep "fail"

The output lines contain user= and rhost= values which identify user and his IP address.

Here is an example of filter to simplify log output:

grep -i "ssh" /var/log/auth.log | awk 'BEGIN { FS="rhost="; } /failure;/{ print $2; }'

Important note

I think it's not a good idea to send an email after every unsuccessful login. When your computer interface is exposed to the Internet, it will log hundreds to thousands of failed logon attempts every day.

+ 1

Organic Marble

1/18/24, 12:57 AM

This script didn't work on my 20.04 Ubuntu MATE system. `echo $SSH_CLIENT` returned nothing even when there was an SSH user connected.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Get logged ssh user name and ip inside /etc/profile to send mail

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.