The task is to send an email alert when SSH-login was made from a not whitelisted IPs.
Will use Monit here.
Install it:
[simterm]
root@jenkins-dev:/home/admin# apt update && apt -y install monit
[/simterm]
Configure email settings: set localhost (we have a local eximhere), email’s format and email’s receiver.
Edit the /etc/monit/monitrc file:
...
set mailserver localhost
set mail-format {
from: Monit <monit@$HOST>
subject: monit alert -- $EVENT $SERVICE
message: $EVENT Service $SERVICE
Date: $DATE
Action: $ACTION
Host: $HOST
Description: $DESCRIPTION
Your faithful employee,
Monit
}
...
set alert [email protected]
Now add the rules file /etc/monit/conf.d/ssh_alerts.conf:
check file ssh_logins with path /var/log/auth.log ignore match "/etc/monit/whitelist_ips.txt" if match "Accepted publickey" then alert
Check the documentation about IGNORE here>>> and about email’s formatting – here>>>.
If instead of key-based authorization password-based is used – change “Accepted publickey” to “Accepted password“.
Now in the /etc/monit/whitelist_ips.txt file add the 1.1.1.1 IP – after testing will set a real one(s):
Restart the monitservice:
[simterm]
root@jenkins-dev:/home/admin# systemctl restart monit
[/simterm]
Check how it’s working – login to a server:
[simterm]
12:50:21 [setevoy@setevoy-arch-work ~] $ sshjenkinsdev ... admin@jenkins-dev:~$
[/simterm]
Check Monit’s logs:
[simterm]
root@jenkins-dev:/home/admin# tail -f /var/log/monit.log Stored in '/var/lib/monit/id' [EET Mar 15 12:32:11] info : Starting Monit 5.20.0 daemon [EET Mar 15 12:32:11] info : 'jenkins-dev' Monit 5.20.0 started [EET Mar 15 12:39:37] info : Monit daemon with pid [5074] stopped [EET Mar 15 12:39:37] info : 'jenkins-dev' Monit 5.20.0 stopped [EET Mar 15 12:40:28] info : Starting Monit 5.20.0 daemon [EET Mar 15 12:40:28] info : 'jenkins-dev' Monit 5.20.0 started [EET Mar 15 12:50:28] error : 'ssh_logins' content match: Mar 15 12:50:25 localhost sshd[5262]: Accepted publickey for admin from 194.***.***.26 port 33586 ssh2 [EET Mar 15 12:52:28] info : 'ssh_logins' content doesn't match
[/simterm]
And an email:
Obviously – such an approach may be used for anything just by changing the if match conditions.
For example – I have one site which is inaccessible for all excluding myself, so I added another rule:
check file nginx_web_access with path /var/log/nginx/example.com-access.log ignore match "/etc/monit/whitelist_ips.txt" if match "GET" then alert
Here on any GET-request from an IP not added to the white list – I’ll get an email alert.
The /etc/monit/whitelist_ips.txt may look like next:
[simterm]
setevoy@rtfm-do-production:~$ cat /etc/monit/whitelist_ips.txt 194.***.***.26 188.***.***.48
[/simterm]
Here is one IP of my job’s network and another one – my home.
Done.
