Keeping Tabs on Successful Logins

There are a number of things that any sysadmin should be doing (or is already doing) to keep tabs on the systems they manage. One of the things that I do which is quite simple (read: quick and dirty) is having my server send me a message anytime a user logs into the server. I just pop the following line at the top of /etc/profile to do that:

echo "`whoami` logged in at `date`" | mail -s "`hostname` login"

The resulting message would look like this:

root logged in at Wed Dec 16 16:39:37 UTC 2009

It’s not fancy or sophisticated by any stretch of the imagination. Moving your ssh port, limiting access to that port via your packet filter, disabling interactive authentications are among the options to tighten up ssh access so that it doesn’t happen in the first place….but what if. :)

My systems do not see very many interactive logins (and they better be me) so the resulting emails are not a burden on my inbox. But if somebody did manage to get a shell on my server, I should see an email giving me a heads u


3 responses to “Keeping Tabs on Successful Logins”

  1. If you copy/paste your example, it doesn’t work because the double-quotes are not actually double-quotes…

    This is what it should be: echo “`whoami` logged in at `date`”|mail -s “`hostname` login”

  2. Errr… forget it, it’s your Blog engine… It converts double-quotes to curly quotes when you submit the text. Might want to change that if you’re often pasting code like this…