Make your *nix server alert you with email or sms messages on invalid login attempts

If you run a private server or just one that not many people should log into this is a very useful hack to your linux or *nix server. The idea is to be alerted when there is a breakin attempt on your server. Its actually not much work but took me a bit of research to find the answer so now that I have got it working on my server I thought I'de share this friendly little hack. This will allow me to know when people are trying to login to my server, mine happens to be a provate server so If Im not logging in then its someone else. This technique only alerts you when a person uses the wrong username/password combination successful logins do not trigger an alert but thats ok for my needs since most attempts to access a server result in a person using the wrong username or password. Enough background on with the hack

NOTE: You must have a preconfigured mail server setup before doing this. This tutorial will NOT cover setting up a mail server there is plenty of documentation on the internet to help you do that.

Edit the /etc/pam.d/common-auth file
open the file up any way you wish to edit it and make these changes:

find the line that talks about pam_deny.so

Put this on the line RIGHT BEFORE IT! no exceptions if there is something before it add a line

auth [default=ignore] pam_exec.so seteuid /usr/bin/alert

now we need to change these two lines

auth	[success=2 default=ignore]	pam_unix.so nullok_secure
auth	[success=1 default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

they may not be exact but look for the lines with pam.unix.so and pam_winbind.so

now change the success=2 to success=3
also change success=1 to success=2

NOTE:If you want this script to alert you on successful logins as well as invalid ones do not change either of those numbers

now save that file

Now make the file /usr/bin/alert

also navigate to the folder and do a

chmod 777 alert

you may have to use sudo or su depending on the system in this case do

sudo chmod 777 alert

ok now time to open that file and edit it since this is the file called on failed login or succesful also if you took the steps to keep successful logins then we need to now add the coding that will email or txt message our phone.

in the alert file we add this

#!/bin/bash
#requires: date,sendmail
function fappend {
    echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# SETTINGS
# Change this to your email
TOEMAIL="you@youremail.com";
#this is the from email change it to your local email address
FREMAIL="admin@yourdomain.com";
#This is the subject leave it alone or change it to whatever you want
SUBJECT="Server Breakin!";
#This is the actual message to send
MSGBODY="Add some message here";


# DON'T CHANGE ANYTHING BELOW
TMP="/tmp/tmpfil_123"$RANDOM;

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;

exit 0;

You can just copy and paste this to the alert file then change a few things

TOEMAIL: change this to the email address you want it to send the alert to. If you want to send it to your phone do this, send an email to yourself from your mobile phone to your email doesnt matter the message. When you login to your email you will see it and can get the return address to send one back to your phone in my case I use cricket so I set this to 5092222798@sms.cricket.com (note I changed it so dont try to call me ) but this allows it to send the email message directly to my phone.

FREMAIL: This is the email that it shows it is from, you should already have an email server setup to do this so you should know what this email is it should be something like root@mydomain.com

SUBJECT: this can be anything you want or you can leave it as is. It is simply the subject of the email

MSGBODY: This is the actual message to send we can include anything we want in the message although a messag eto long may not be recieved by some phones.

And thats it save the file and test it out you can test it by running the command

./alert

or you can login to your server ssh, ftp, or whatever way you want use the wrong username or password and you should get an email or sms message.