Monit: email alerting on an SSH logins

By | 03/18/2019

The task is to send an email alert when SSH-login was made from a not whitelisted IPs.

Will use Monit here.

Install it:

root@jenkins-dev:/home/admin# apt update && apt -y install monit

Configure email settings: set localhost (we have a local eximhere), email’s format and email’s receiver.

Edit the /etc/monit/monitrc file:

set mailserver localhost

set mail-format {
  from:    Monit <monit@$HOST>
  subject: monit alert --  $EVENT $SERVICE
  message: $EVENT Service $SERVICE
                Date:        $DATE
                Action:      $ACTION
                Host:        $HOST
                Description: $DESCRIPTION
           Your faithful employee,
set alert

Now add the rules file /etc/monit/conf.d/ssh_alerts.conf:

check file ssh_logins with path /var/log/auth.log
  ignore match "/etc/monit/whitelist_ips.txt"
  if match "Accepted publickey" then alert

Check the documentation about IGNORE here>>> and about email’s formatting – here>>>.

If instead of key-based authorization password-based is used – change “Accepted publickey” to “Accepted password“.

Now in the /etc/monit/whitelist_ips.txt file add the IP – after testing will set a real one(s):

Restart the monitservice:

root@jenkins-dev:/home/admin# systemctl restart monit

Check how it’s working – login to a server:

12:50:21 [setevoy@setevoy-arch-work ~]  $ sshjenkinsdev

Check Monit’s logs:

root@jenkins-dev:/home/admin# tail -f /var/log/monit.log
Stored in '/var/lib/monit/id'
[EET Mar 15 12:32:11] info     : Starting Monit 5.20.0 daemon
[EET Mar 15 12:32:11] info     : 'jenkins-dev' Monit 5.20.0 started
[EET Mar 15 12:39:37] info     : Monit daemon with pid [5074] stopped
[EET Mar 15 12:39:37] info     : 'jenkins-dev' Monit 5.20.0 stopped
[EET Mar 15 12:40:28] info     : Starting Monit 5.20.0 daemon
[EET Mar 15 12:40:28] info     : 'jenkins-dev' Monit 5.20.0 started
[EET Mar 15 12:50:28] error    : 'ssh_logins' content match:
Mar 15 12:50:25 localhost sshd[5262]: Accepted publickey for admin from 194.***.***.26 port 33586 ssh2
[EET Mar 15 12:52:28] info     : 'ssh_logins' content doesn't match

And an email:


Obviously – such an approach may be used for anything just by changing the if match conditions.

For example – I have one site which is inaccessible for all excluding myself, so I added another rule:

check file nginx_web_access with path /var/log/nginx/
  ignore match "/etc/monit/whitelist_ips.txt"
  if match "GET" then alert

Here on any GET-request from an IP not added to the white list – I’ll get an email alert.

The /etc/monit/whitelist_ips.txt may look like next:

setevoy@rtfm-do-production:~$ cat /etc/monit/whitelist_ips.txt

Here is one IP of my job’s network and another one – my home.