编辑
2024-08-08
网络安全
00
请注意,本文编写于 704 天前,最后修改于 360 天前,其中某些信息可能已经过时。
  • 背景

在阿里云上买了一台ecs,因为没有太多安全措施,密码修改得也不频繁,最近不注意的时候发现被攻破了,在机器上挖矿了很久阿里发了短信通知让我整改。阿里有被攻击通知的功能,不过需要付费,心想这也不是啥很有门槛的功能就自己查资料写了一个ssh登录登出时通知个人邮箱的脚本。

  • 通知脚本

vim /usr/local/bin/ssh_login_notify.sh

bash
#!/bin/bash # 设置邮件发送参数 TO="xx@email.com" USER="$PAM_USER" HOST="$(hostname)" TIMESTAMP="$(date '+%Y-%m-%d %H:%M:%S %Z')" # Get location info from IP without using jq IP_INFO=$(curl -s "https://ipinfo.io/$PAM_RHOST?token=5f9bc54basasa") CITY=$(echo $IP_INFO | sed -n 's/.*"city": "\([^"]*\)".*/\1/p') REGION=$(echo $IP_INFO | sed -n 's/.*"region": "\([^"]*\)".*/\1/p') COUNTRY=$(echo $IP_INFO | sed -n 's/.*"country": "\([^"]*\)".*/\1/p') LOC=$(echo $IP_INFO | sed -n 's/.*"loc": "\([^"]*\)".*/\1/p') ORG=$(echo $IP_INFO | sed -n 's/.*"org": "\([^"]*\)".*/\1/p') POSTAL=$(echo $IP_INFO | sed -n 's/.*"postal": "\([^"]*\)".*/\1/p') TIMEZONE=$(echo $IP_INFO | sed -n 's/.*"timezone": "\([^"]*\)".*/\1/p') # Convert current time to remote timezone REMOTE_TIMESTAMP=$(TZ=$TIMEZONE date '+%Y-%m-%d %H:%M:%S %Z') LOCATION="City: $CITY, Region: $REGION, Country: $COUNTRY, Coordinates: $LOC, Organization: $ORG, Postal: $POSTAL, Timezone: $TIMEZONE" if [ "$PAM_TYPE" = "open_session" ]; then SUBJECT="SSH Login Notification" MESSAGE="User $USER logged in to $HOST from $PAM_RHOST ($LOCATION) at $TIMESTAMP ($REMOTE_TIMESTAMP)." elif [ "$PAM_TYPE" = "close_session" ]; then SUBJECT="SSH Logout Notification" MESSAGE="User $USER from $PAM_RHOST ($LOCATION) has logged out of $HOST at $TIMESTAMP ($REMOTE_TIMESTAMP)." else exit 0 fi # 发送邮件 echo "$MESSAGE" | mail -s "$SUBJECT" "$TO"

提示

tokenTO 参数需要替换为自己的,mailx需自行安装并配置好。

  • 确保脚本可执行

sudo chmod +x /usr/local/bin/ssh_session_notify.sh

  • 配置PAM:

编辑PAM配置文件 /etc/pam.d/sshd,确保添加了 pam_exec 行来调用你的脚本。

vim
# Add these lines to /etc/pam.d/sshd session optional pam_exec.so /usr/local/bin/ssh_session_notify.sh
  • 重启sshd服务
bash
sudo systemctl restart sshd

本文作者:severloh

本文链接:

版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!