Linux tutorials • How to Add SSH Login Alert Notification on Debian 12 with MyVesta

This tutorial shows how to set up an SSH login notification script on a Debian 12 server with MyVesta, using `msmtprc` to send email alerts. The script notifies you when someone logs into your server via SSH, including the username, remote IP, and timestamp. It uses a cache to avoid duplicate notifications from the same IP within an hour.

Step 1: Install and Configure msmtprc
Install `msmtprc` to handle email sending:

Code:

apt updateapt install msmtp -y

Create the configuration file using `nano`:

Code:

nano /etc/msmtprc

Add the following configuration, replacing placeholders with your email server details:

Code:

defaultsauth           ontls            ontls_starttls   offtls_trust_file /etc/ssl/certs/ca-certificates.crtlogfile        /var/log/msmtp.logaccount        defaulthost           mail.yourdomain.comport           465from           server@yourdomain.comuser           server@yourdomain.compassword       YourSecurePassword

Save and exit `nano` (Ctrl+O, Enter, Ctrl+X). Secure the file:

Code:

chmod 600 /etc/msmtprcchown root:root /etc/msmtprc

Test the configuration by sending a test email:

Code:

echo -e "Subject: Test\n\nThis is a test email." | msmtp server@yourdomain.com

Check `/var/log/msmtp.log` for errors.

Step 2: Create the SSH Login Notification Script
Create the script using `nano`:

Code:

nano /usr/local/bin/ssh-login-notify.sh

Add the following script:

Code:

#!/bin/bash# VariablesTIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')TIMESTAMP_SECONDS=$(date +%s)HOSTNAME="your_hostname"MESSAGE_ID="ssh-login-$(date +%s)@your_hostname.yourdomain.com"DATE=$(date -R)# Capture the real user who logged inUSERNAME=$(logname 2>/dev/null || who am i | awk '{print $1}' | head -1)if [ -z "$USERNAME" ]; then    USERNAME=$SUDO_USERfiif [ -z "$USERNAME" ]; then    USERNAME="Unknown"fi# Capture the remote IPREMOTE_IP=$(echo "$SSH_CLIENT" | awk '{print $1}')if [ -z "$REMOTE_IP" ]; then    REMOTE_IP=$(who am i | awk '{print $NF}' | sed 's/[()]//g')fiif [ -z "$REMOTE_IP" ]; then    REMOTE_IP=$(last -i -n 1 | grep "$USERNAME" | awk '{print $3}' | sed 's/[()]//g')fiif [ -z "$REMOTE_IP" ]; then    REMOTE_IP="Unknown"fi# Cache to prevent repeated notificationsCACHE_DIR="/var/tmp/ssh_login_cache"CACHE_FILE="$CACHE_DIR/$REMOTE_IP"mkdir -p "$CACHE_DIR"find "$CACHE_DIR" -type f -mtime +1 -exec rm -f {} \; 2>/dev/null# Check if IP was notified in the last hourif [ -f "$CACHE_FILE" ]; then    LAST_LOGIN=$(cat "$CACHE_FILE")    TIME_DIFF=$((TIMESTAMP_SECONDS - LAST_LOGIN))    if [ "$TIME_DIFF" -lt 3600 ]; then        echo "[$TIMESTAMP] Login from IP $REMOTE_IP ignored (within 1 hour)." >> /var/log/ssh-login-notify.log        exit 0    fifi# Update cacheecho "$TIMESTAMP_SECONDS" > "$CACHE_FILE"# Create HTML emailcat << EOF > /tmp/ssh-login-message.txtSubject: SSH Login on $HOSTNAMEFrom: Server Notification <server@yourdomain.com>Reply-To: server@yourdomain.comDate: $DATEMessage-ID: <$MESSAGE_ID>MIME-Version: 1.0Content-Type: text/html; charset=UTF-8<!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>SSH Login Notification</title></head><body style="font-family: Arial, sans-serif; background-color: #f4f4f9; margin: 0; padding: 20px; color: #333;">    <div style="max-width: 600px; margin: 0 auto; background-color: #ffffff; border-radius: 8px; box-shadow: 0 2px 5px rgba(0,0,0,0.1); overflow: hidden;">        <div style="background-color: #2196F3; color: #ffffff; padding: 15px; text-align: center;">            <h1 style="margin: 0; font-size: 24px;">SSH Login Notification</h1>        </div>        <div style="padding: 20px;">            <p style="font-size: 16px; margin: 10px 0;"><strong>Host:</strong> $HOSTNAME</p>            <p style="font-size: 16px; margin: 10px 0;"><strong>User:</strong> $USERNAME</p>            <p style="font-size: 16px; margin: 10px 0;"><strong>Remote IP:</strong> $REMOTE_IP</p>            <p style="font-size: 16px; margin: 10px 0;"><strong>Time:</strong> $TIMESTAMP</p>        </div>        <div style="background-color: #f4f4f9; padding: 10px; text-align: center; font-size: 12px; color: #777;">            <p style="margin: 0;">This is an automated notification from your server.</p>        </div>    </div></body></html>EOF# Send emailif [ -f "/tmp/ssh-login-message.txt" ]; then    msmtp server@yourdomain.com < /tmp/ssh-login-message.txt >> /var/log/ssh-login-notify.log 2>&1    STATUS=$?    if [ $STATUS -eq 0 ]; then        echo "[$TIMESTAMP] SSH login notification sent successfully for IP $REMOTE_IP." >> /var/log/ssh-login-notify.log    else        echo "[$TIMESTAMP] Failed to send SSH login notification for IP $REMOTE_IP. Status: $STATUS." >> /var/log/ssh-login-notify.log    fi    rm -f /tmp/ssh-login-message.txtelse    echo "[$TIMESTAMP] Error: Could not create email message file for IP $REMOTE_IP." >> /var/log/ssh-login-notify.logfiexit 0

Save and exit `nano` (Ctrl+O, Enter, Ctrl+X). Make the script executable:

Code:

chmod +x /usr/local/bin/ssh-login-notify.sh

Step 3: Trigger the Script on SSH Login
Edit the PAM configuration using `nano`:

Code:

nano /etc/pam.d/sshd

Add this line at the end:

Code:

session optional pam_exec.so /usr/local/bin/ssh-login-notify.sh

Save and exit `nano` (Ctrl+O, Enter, Ctrl+X).

Step 4: Test and Monitor
Log in via SSH to test. Check the log file for debugging:

Code:

tail -f /var/log/ssh-login-notify.log

The script sends an HTML email with login details and caches IPs to avoid duplicate notifications within an hour. Replace `your_hostname` and `yourdomain.com` with your server's hostname and domain.

Let me know if you need help! :mrgreen:

Statistics: Posted by webxtek — Thu May 22, 2025 10:18 pm