Learn Pentesting like a Pro!

Share this post

Sysadmin tricks: Get an alert when users log in

pentesting.academy

Sysadmin tricks: Get an alert when users log in

pentesting.academy
Mar 4, 2021
Share this post

Sysadmin tricks: Get an alert when users log in

pentesting.academy
blue UTP cord
Photo by Jordan Harrison on Unsplash

For some critical machines when it is not usual that users login through SSH or execute SU to become superuser, we can use PAM module configuration to receive some kind of alert whenever a user logs into that machine or escalates privileges to root.

Two options here:

  • /etc/pam.d/su: To receive alerts every time a user becomes root

  • /etc/pam.d/sshd: To receive alerts every time a user logs in successfully in this machine

Whatever option you choose, you will have to add the following line at the end of that file.

session optional pam_exec.so /usr/local/bin/mail-login.php

The script mail-login.php looks pretty simple:

#!/usr/bin/php

<?php

mail("YOUR@EMAIL.COM", "login successful", "User: ".system("id")."\n\nIP: ".system("w -h | awk '{print $3}'")."\n\n".system("last"));

exit(0);

Thanks for reading Learn Pentesting like a Pro! Subscribe for free to receive new posts.

Share this post

Sysadmin tricks: Get an alert when users log in

pentesting.academy
Comments
TopNew

No posts

Ready for more?

© 2023 pentesting.academy
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing