Last active
December 5, 2023 02:35
-
-
Save ElliotNB/04211e61efe6106b01ff223e5f123257 to your computer and use it in GitHub Desktop.
Email sysadmin on every login from a new IP address
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## | |
## New IP login notification script | |
## 2009-11-20 00:28 Samuele ~redShadow~ Santi | |
## 2018-06-04 12:53 ElliotNB | |
## 2018-10-17 17:55 ElliotNB - bug fixes for non-interactive sessions and `sudo su` commands | |
## Licensed under GPL | |
## | |
## This script will email the contact specified below whenever | |
## a user logs into the system from a new IP address. The email will contain the | |
## username, IP address and geolocation info for the login as well as current system | |
## stats (running processes, other logged in users, network connections, etc). | |
## | |
## Tested on RHEL6 and RHEL7. | |
## | |
## Installation: | |
## - Install GeoIP (ver 1.6+) and mutt (ver 1.5+) -- dnf install mutt GeoIP GeoIP-devel | |
## - Copy and paste this script into /etc/profile.d/notify.sh | |
## | |
## Configuration: | |
NOTIFY_ADDR="[email protected]" | |
FROM_ADDR="[email protected]" | |
LOG_USER="$( whoami )" | |
LOG_DATE="$( date "+%Y-%m-%d %H:%M:%S" )" | |
OUT_WHO="$( who )" | |
LOG_IP="$( echo ${SSH_CLIENT} | awk '{ print $1}' )" | |
if ! [ -z "$LOG_IP" ]; then | |
FULL_GEO_LOC="$( geoiplookup ${LOG_IP} )" | |
GEO_LOC="$( geoiplookup ${LOG_IP} | awk '{$1=$2=$3=$4=$5=""; print $6 $7 $8 $9 $10}' | sed -n 2p )" | |
else | |
FULL_GEO_LOC="Unknown" | |
GEO_LOC="Unknown" | |
fi | |
# if this is an interactive shell and we were able to capture an IP address, then proceed | |
if ! [ -z "$PS1" ] && ! [ -z "$LOG_IP" ]; then | |
# if this user and IP address combination is not present in our logs | |
if ! [[ $(last $LOG_USER -i |grep -v still |grep $LOG_IP) ]] | |
then | |
netstat -ln > /tmp/netstat-listen.txt | |
netstat -n > /tmp/netstat.txt | |
ps afux > /tmp/processes.txt | |
who > /tmp/who.txt | |
( | |
cat <<EOF | |
------------------------------------------------------------------------ | |
LOGIN NOTIFICATION | |
------------------------------------------------------------------------ | |
Host: $(hostname) | |
User: ${LOG_USER} | |
IP: ${LOG_IP} | |
Date: ${LOG_DATE} | |
$(date) | |
Uptime: $(uptime) | |
Geo/Host Info: | |
${FULL_GEO_LOC} | |
--- Logged in users ---------------------------------------------------- | |
${OUT_WHO} | |
------------------------------------------------------------------------ | |
Attaching other relevant system data. | |
EOF | |
) | /usr/bin/mutt -s "[LOGIN] $(hostname) ${LOG_USER} login from ${LOG_IP} [${GEO_LOC}] " \ | |
-e "my_hdr From: ${FROM_ADDR}" \ | |
-a /tmp/netstat-listen.txt -a /tmp/netstat.txt -a /tmp/processes.txt -a /tmp/who.txt \ | |
-- "${NOTIFY_ADDR}" | |
rm -rf /tmp/netstat-listen.txt /tmp/netstat.txt /tmp/processes.txt /tmp/who.txt | |
fi | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Do you know how I can adapt this to include a check for the user being in the sudoers file and only sending the email if they are?