Getting notified when someone logs into a server using SSH or Remote Desktop
I have a mac mini server running OS X Lion Server 10.7.3. It pretty much runs unattended without problems. However, the server is under constant "attack" according to the logs. The firewall and security is holding up it seems.
Is there any application/script that can send me an email whenever someone/anyone logs into the server using SSH, Admin Tools or ARD?
Since the machine runs unattended, headless in a datacenter in a different city, I'm concerned that someone may (through pure persistance) manages to crack a password or find a compromise on the system. Knowing I'll get alerted will put my mind to ease.
Solution 1:
Your best defence is always to turn off unnecessary services. If you're not using remote desktop: turn it off. If you're not using the HTTP or FTP servers: turn them off. Fewer services running, fewer points of entry for possibly intruders to exploit.
Aside from locking it down, there are some free and open source products that are OS X friendly you can look at to do intrusion detection on your machine.
Snort
Though I haven't personally run it, I do have colleagues who know and trust it for intrusion detection. It's BSD-compatible so it makes a it a good fit for OS X. Another upside to going with Snort is it's available as a Homebrew package:
> brew info snort
snort 2.9.0.5
http://www.snort.org
Depends on: daq, libdnet, pcre
Not installed
https://github.com/mxcl/homebrew/commits/master/Library/Formula/snort.rb
==> Caveats
For snort to be functional, you need to update the permissions for /dev/bpf*
so that they can be read by non-root users. This can be done manually using:
sudo chmod 644 /dev/bpf*
or you could create a startup item to do this for you.
So you get a simplified path to installation and some trust in the fact that it ports well to OS X and runs there. With Homebrew installed you only need to do:
> brew install snort
And you're ready to get started with it.
Check out this Snort for OS X Lion Server setup guide that the Snort community provides to get started with rule writing for your OS X machine. That's a great document and, in addition to walking through installing Snort from source (which you don't need to do), it talks about all the things you should do your OS X Lion Server instance to help protect it. If you install via Homebrew, start at Section 5 (page 13) in the PDF since you don't need to worry about installing it from source code.
Tripwire
I've run Tripwire on linux machines to do rapid intrusion detection and alerting. It's effective but it's a bit of a beast to set up. It can perform actions when rules are matched against log files. Of course, a savvy hacker is going to know to disable Tripwire as soon as they break in so they don't end up with their session getting cut off.
The MacWorld hint talks about setting up Tripwire on OS X. It's not simple and the article ends with mentioning that it's not been tested.
Solution 2:
You can harden ssh and install denyhosts, sshguard, and Snort, Barnyard, Base and Swatch.
See these links for details:
https://discussions.apple.com/thread/3565475 https://discussions.apple.com/thread/4473229?tstart=0
-
Turn off root and password logins:
vi /etc/sshd_config
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthenticatio no
Then use
ssh-keygen
on the remote client to generate public/private keys that can be used to remotely login to the server:client$ ssh-keygen -t rsa -b 2048 -C client_name [Securely copy ~/.ssh/id_rsa.pub from client to server.] server$ cat id_rsa.pub > ~/.ssh/known_hosts
-
Install denyhosts and sshguard.
sudo port install denyhosts sshguard
sudo port load denyhosts
sudo port load sshguard
You can configure denyhosts to block all traffic, not just ssh traffic.
-
Snort, with a world map of attacks:
https://discussions.apple.com/thread/4473229?tstart=0
Solution 3:
To directly answer the question posed. I have another script that emails me, again, around midnight, if anyone successfully logs in via ssh.
#!/usr/bin/env bash
mm=`date +%b`
dd=`date $1 +%d`
dd=`expr $dd`
if [ "$dd" -ge "10" ]
then
dt=`echo "$mm $dd"`
else
dt=`echo "$mm $dd"`
fi
cat /var/log/secure.log | grep -E '(Accepted|SUCCEEDED)'| grep -E -v '(my.ip.address|192.168.1)' | grep "$dt" >> /tmp/access_granted
/usr/bin/mail -E -s "Access granted" [email protected] < /tmp/access_granted
rm /tmp/access_granted
Edit the grep
above to exclude your own fixed IP, if you want, and to use your email address. You can combine some of the code in my other answer to add failures for VNC.
Solution 4:
To expand a bit on Fail2ban, once it is set up and running I have a script that I run just before midnight that scrapes the logs and emails me what Fail2ban has been doing for the previous day.
The script is as follows and can be run from cron or a launchd plist.
#!/usr/bin/env bash
mm=`date +%b`
dd=`date $1 +%d`
dd=`expr $dd`
if [ "$dd" -ge "10" ]
then
dt=`echo "$mm $dd"`
else
dt=`echo "$mm $dd"`
fi
cat /var/log/system.log | grep "$dt" | grep org.fail2ban | grep -v COMMAND > /tmp/fail2ban_deny
cat /var/log/fail2ban.log | grep -E '(WARN|ERR|rotation|target)' | grep `date $1 +%Y-%m-%d` >> /tmp/fail2ban_deny
cat /var/log/ipfw.log | grep TCP | grep "$dt" >> /tmp/fail2ban_deny
cat /var/log/secure.log | grep VNC | grep FAILED | grep "$dt" >> /tmp/fail2ban_deny
/usr/bin/mail -E -s "Fail2ban ipfw" [email protected] < /tmp/fail2ban_deny
rm /tmp/fail2ban_deny
You will obviously need to use the email address of your choice.
Setting up Fail2ban is a whole other issue. I've written extensively about it.