

Discover more from Learn Pentesting like a Pro!
Stay updated on the latest cybersecurity insights from Cloud and Mobile to Blockchain. (HUNDREDS OF SUBSCRIBERS)
Continue reading
Sysadmin tricks: Get an alert when users log in
For some critical machines when it is not usual that users login through SSH or execute SU to become superuser, we can use PAM module configuration to receive some kind of alert whenever a user logs into that machine or escalates privileges to root.
Two options here:
/etc/pam.d/su: To receive alerts every time a user becomes root
/etc/pam.d/sshd: To receive alerts every time a user logs in successfully in this machine
Whatever option you choose, you will have to add the following line at the end of that file.
session optional pam_exec.so /usr/local/bin/mail-login.php
The script mail-login.php looks pretty simple:
#!/usr/bin/php
<?php
mail("YOUR@EMAIL.COM", "login successful", "User: ".system("id")."\n\nIP: ".system("w -h | awk '{print $3}'")."\n\n".system("last"));
exit(0);