LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-16-2015, 01:38 PM   #1
tearsforhari
Member
 
Registered: Mar 2015
Posts: 79

Rep: Reputation: Disabled
How to send email alerts when someone logs onto server?


Hello. I am running Ubuntu 12.04.5 on a server. I just took over as admin and made myself root. Every time I log in, I get two identical email messages to an external email that someone logged in to the server. Can someone tell me where this command is set up? I already check my .bashrc as root and looked around in the /etc/ssh dir. Thank You.
 
Old 07-16-2015, 02:07 PM   #2
HMW
Member
 
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Red Hat, CentOS
Posts: 773
Blog Entries: 3

Rep: Reputation: 369Reputation: 369Reputation: 369Reputation: 369
Hello!

That is a hard question to answer since nobody but the former admin really knows how the mailing was set up.

But... here's how I would start. The e-mails are automated, and contain the same text I assume?
So, that text (the body of the message) is probably somewhere in the filesystem.

You could use grep to search recursively, like so:
Code:
grep -iRnH "some text from body of e-mail" /*
(Beware, this will take a loooooong time!)

If you find THAT, then you have at least the first piece of the puzzle.

Good luck!
HMW
 
Old 07-16-2015, 02:46 PM   #3
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
have a look in $HOME/.ssh/authorized_keys for such entries like so:
Code:
command="/path/to/some/command " ssh-rsa ....
That command="/path/to/some/command " could actually be mailing silently.
 
Old 07-16-2015, 03:29 PM   #4
tearsforhari
Member
 
Registered: Mar 2015
Posts: 79

Original Poster
Rep: Reputation: Disabled
The text message I get from the email is:
User tears just logged in to MachineName from 149.37.212.221

Not a whole lot to go on.

Habitual: I looked at /root but did not find a file called authorized keys.
 
Old 07-16-2015, 04:03 PM   #5
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by tearsforhari View Post
Habitual: I looked at /root but did not find a file called authorized keys.
Check /home/tears/.ssh/authorized_keys
 
Old 07-16-2015, 06:30 PM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,842

Rep: Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472
What shell are you using?

I seem to remember that tcsh, zsh had a way to monitor logins like that, in which case it will be in the rc file for the shell.
 
Old 07-17-2015, 05:19 AM   #7
AnanthaP
Member
 
Registered: Jul 2004
Location: Chennai, India
Distribution: UBUNTU 5.10 since Jul-18,2006 on Intel 820 DC
Posts: 889

Rep: Reputation: 208Reputation: 208Reputation: 208
I would also look at all files in /etc/rc* (various folders corresponding to run levels). Mostly these are script files and you can view them with vi in read mode.

OK
 
Old 07-17-2015, 05:57 AM   #8
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,842

Rep: Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472
Quote:
Originally Posted by AnanthaP View Post
I would also look at all files in /etc/rc* (various folders corresponding to run levels). Mostly these are script files and you can view them with vi in read mode.

OK
Not in many current systems using systemd as they don't exist.
 
Old 07-17-2015, 10:28 AM   #9
tearsforhari
Member
 
Registered: Mar 2015
Posts: 79

Original Poster
Rep: Reputation: Disabled
Well I found it in one place. But I am wondering why I get two, duplicate emails?

Code:
>more /etc/ssh/sshrc
ip=`echo $SSH_CONNECTION | cut -d " " -f 1`
myHost=MachineName

logger -t ssh-wrapper $USER login from $ip
echo "User $USER just logged in to $myHost from $ip" | mail -s "SSH Login $myHost" root

Last edited by tearsforhari; 07-17-2015 at 10:33 AM.
 
Old 07-17-2015, 02:30 PM   #10
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,842

Rep: Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472
Check for an alias for root. Sometimes there are two entries there - one for filing for root to read, and one for the admin. If root also has a .forward file, it would then cause you to get two messages.
 
Old 07-17-2015, 03:16 PM   #11
tearsforhari
Member
 
Registered: Mar 2015
Posts: 79

Original Poster
Rep: Reputation: Disabled
Well, I don't see anything in /etc/aliases, do you?

Code:
# See man 5 aliases for format
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: tears
tears: tears@companyname.com
In /root and /home/administrator, I do not see a .forward file either.

If I delete /etc/sshrc, I no longer get any emails. But if I recreate it, I get two emails again. So, the two emails are definitely stemming from the sshrc.
 
Old 07-17-2015, 04:18 PM   #12
Aia
Member
 
Registered: Jun 2006
Posts: 66

Rep: Reputation: 21
You are in Ubuntu. Are you sudoing? If so, check the /etc/sudoers.
Look for something similar to:
Quote:
mailto "domain_email"
mail_always on
 
Old 07-17-2015, 04:41 PM   #13
tearsforhari
Member
 
Registered: Mar 2015
Posts: 79

Original Poster
Rep: Reputation: Disabled
The sudoer file is pretty empty:

Code:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
On this point, my account is added as a sudoer; but I do not see it listed above. The way I added myself was by the following command:

Code:
sudo adduser tears sudo
This allows me to sudo, but I am confused as to why it isn't in the sudoer file. I know that I can add it to the file directly, though.

Could this be related to the double email problem?
 
Old 07-17-2015, 06:20 PM   #14
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,842

Rep: Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472
Quote:
Originally Posted by tearsforhari View Post
Well, I don't see anything in /etc/aliases, do you?

Code:
# See man 5 aliases for format
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: tears
tears: tears@companyname.com
In /root and /home/administrator, I do not see a .forward file either.

If I delete /etc/sshrc, I no longer get any emails. But if I recreate it, I get two emails again. So, the two emails are definitely stemming from the sshrc.
There are two possibilities:
Code:
root: tears
tears: tears@companyname.com
But not sure how it gets doubled.

Just noticed it also sends to the system log via "logger".. Rsyslog (not sure if it is being used) can be configured to send mail as well. It LOOKS like it would cause the messages to have a different format with the same information though.

Last edited by jpollard; 07-17-2015 at 06:24 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to send my all logs from ubuntu send email to me DeSouffle Linux - Networking 1 12-21-2013 04:15 AM
Looking for Public IP address monitor that can send email alerts 5circles Linux - Software 2 07-11-2009 08:21 PM
Nagios plugin wont send email alerts investmentbnker75 Programming 0 11-18-2008 08:49 AM
Send logs to email address bond00 Linux - Networking 1 03-28-2006 06:01 PM
how to make a C program send email notification/alerts? eigenyeugen Programming 1 01-04-2005 08:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration