在阿里云上买了一台ecs,因为没有太多安全措施,密码修改得也不频繁,最近不注意的时候发现被攻破了,在机器上挖矿了很久阿里发了短信通知让我整改。阿里有被攻击通知的功能,不过需要付费,心想这也不是啥很有门槛的功能就自己查资料写了一个ssh登录登出时通知个人邮箱的脚本。
vim /usr/local/bin/ssh_login_notify.sh
bash#!/bin/bash
# 设置邮件发送参数
TO="xx@email.com"
USER="$PAM_USER"
HOST="$(hostname)"
TIMESTAMP="$(date '+%Y-%m-%d %H:%M:%S %Z')"
# Get location info from IP without using jq
IP_INFO=$(curl -s "https://ipinfo.io/$PAM_RHOST?token=5f9bc54basasa")
CITY=$(echo $IP_INFO | sed -n 's/.*"city": "\([^"]*\)".*/\1/p')
REGION=$(echo $IP_INFO | sed -n 's/.*"region": "\([^"]*\)".*/\1/p')
COUNTRY=$(echo $IP_INFO | sed -n 's/.*"country": "\([^"]*\)".*/\1/p')
LOC=$(echo $IP_INFO | sed -n 's/.*"loc": "\([^"]*\)".*/\1/p')
ORG=$(echo $IP_INFO | sed -n 's/.*"org": "\([^"]*\)".*/\1/p')
POSTAL=$(echo $IP_INFO | sed -n 's/.*"postal": "\([^"]*\)".*/\1/p')
TIMEZONE=$(echo $IP_INFO | sed -n 's/.*"timezone": "\([^"]*\)".*/\1/p')
# Convert current time to remote timezone
REMOTE_TIMESTAMP=$(TZ=$TIMEZONE date '+%Y-%m-%d %H:%M:%S %Z')
LOCATION="City: $CITY, Region: $REGION, Country: $COUNTRY, Coordinates: $LOC, Organization: $ORG, Postal: $POSTAL, Timezone: $TIMEZONE"
if [ "$PAM_TYPE" = "open_session" ]; then
SUBJECT="SSH Login Notification"
MESSAGE="User $USER logged in to $HOST from $PAM_RHOST ($LOCATION) at $TIMESTAMP ($REMOTE_TIMESTAMP)."
elif [ "$PAM_TYPE" = "close_session" ]; then
SUBJECT="SSH Logout Notification"
MESSAGE="User $USER from $PAM_RHOST ($LOCATION) has logged out of $HOST at $TIMESTAMP ($REMOTE_TIMESTAMP)."
else
exit 0
fi
# 发送邮件
echo "$MESSAGE" | mail -s "$SUBJECT" "$TO"
提示
token 、TO 参数需要替换为自己的,mailx需自行安装并配置好。
sudo chmod +x /usr/local/bin/ssh_session_notify.sh
编辑PAM配置文件 /etc/pam.d/sshd,确保添加了 pam_exec 行来调用你的脚本。
vim# Add these lines to /etc/pam.d/sshd session optional pam_exec.so /usr/local/bin/ssh_session_notify.sh
bashsudo systemctl restart sshd
本文作者:severloh
本文链接:
版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!