Monit: email alerting on an SSH logins

By | 03/18/2019

The task is to send an email alert when SSH-login was made from a not whitelisted IPs.

Will use Monit here.

Install it:

[simterm]

root@jenkins-dev:/home/admin# apt update && apt -y install monit

[/simterm]

Configure email settings: set localhost (we have a local eximhere), email’s format and email’s receiver.

Edit the /etc/monit/monitrc file:

...
set mailserver localhost

set mail-format {
  from:    Monit <monit@$HOST>
  subject: monit alert --  $EVENT $SERVICE
  message: $EVENT Service $SERVICE
                Date:        $DATE
                Action:      $ACTION
                Host:        $HOST
                Description: $DESCRIPTION
           
           Your faithful employee,
           Monit
}
...
set alert [email protected]

Now add the rules file /etc/monit/conf.d/ssh_alerts.conf:

check file ssh_logins with path /var/log/auth.log
  ignore match "/etc/monit/whitelist_ips.txt"
  if match "Accepted publickey" then alert

Check the documentation about IGNORE here>>> and about email’s formatting – here>>>.

If instead of key-based authorization password-based is used – change “Accepted publickey” to “Accepted password“.

Now in the /etc/monit/whitelist_ips.txt file add the 1.1.1.1 IP – after testing will set a real one(s):

Restart the monitservice:

[simterm]

root@jenkins-dev:/home/admin# systemctl restart monit

[/simterm]

Check how it’s working – login to a server:

[simterm]

12:50:21 [setevoy@setevoy-arch-work ~]  $ sshjenkinsdev 
...
admin@jenkins-dev:~$

[/simterm]

Check Monit’s logs:

[simterm]

root@jenkins-dev:/home/admin# tail -f /var/log/monit.log 
 Stored in '/var/lib/monit/id'
[EET Mar 15 12:32:11] info     : Starting Monit 5.20.0 daemon
[EET Mar 15 12:32:11] info     : 'jenkins-dev' Monit 5.20.0 started
[EET Mar 15 12:39:37] info     : Monit daemon with pid [5074] stopped
[EET Mar 15 12:39:37] info     : 'jenkins-dev' Monit 5.20.0 stopped
[EET Mar 15 12:40:28] info     : Starting Monit 5.20.0 daemon
[EET Mar 15 12:40:28] info     : 'jenkins-dev' Monit 5.20.0 started
[EET Mar 15 12:50:28] error    : 'ssh_logins' content match:
Mar 15 12:50:25 localhost sshd[5262]: Accepted publickey for admin from 194.***.***.26 port 33586 ssh2
[EET Mar 15 12:52:28] info     : 'ssh_logins' content doesn't match

[/simterm]

And an email:

 

Obviously – such an approach may be used for anything just by changing the if match conditions.

For example – I have one site which is inaccessible for all excluding myself, so I added another rule:

check file nginx_web_access with path /var/log/nginx/example.com-access.log
  ignore match "/etc/monit/whitelist_ips.txt"
  if match "GET" then alert

Here on any GET-request from an IP not added to the white list – I’ll get an email alert.

The /etc/monit/whitelist_ips.txt may look like next:

[simterm]

setevoy@rtfm-do-production:~$ cat /etc/monit/whitelist_ips.txt
194.***.***.26
188.***.***.48

[/simterm]

Here is one IP of my job’s network and another one – my home.

Done.