Monit: email alerting on an SSH logins

The task is to send an email alert when SSH-login was made from an IP which is now whitelisted.

Will use Monit here.

Install it:

root@jenkins-dev:/home/admin# apt update && apt -y install monit

Configure email settings: set localhost (we have a local exim here), email’s format and email’s receiver.

Edit the /etc/monit/monitrc file:

...
set mailserver localhost

set mail-format {
  from:    Monit <monit@$HOST>
  subject: monit alert --  $EVENT $SERVICE
  message: $EVENT Service $SERVICE
                Date:        $DATE
                Action:      $ACTION
                Host:        $HOST
                Description: $DESCRIPTION

           Your faithful employee,
           Monit
}

set alert user@example.com

Now add the rules file /etc/monit/conf.d/ssh_alerts.conf:

check file ssh_logins with path /var/log/auth.log
  ignore match "/etc/monit/whitelist_ips.txt"
  if match "Accepted publickey" then alert

Check the documentation about IGNORE here>>> and about email’s formatting – here>>>.

If instead of key-based authorization password-based is used – change “Accepted publickey” to “Accepted password“.

Now in the /etc/monit/whitelist_ips.txt file add the 1.1.1.1 IP – after testing will set a real one(s):

Restart the monitservice:

root@jenkins-dev:/home/admin# systemctl restart monit

Check how it’s working – login to a server:

12:50:21 [setevoy@setevoy-arch-work ~]  $ sshjenkinsdev
...
admin@jenkins-dev:~$

Check Monit’s logs:

root@jenkins-dev:/home/admin# tail -f /var/log/monit.log
Stored in '/var/lib/monit/id'
[EET Mar 15 12:32:11] info     : Starting Monit 5.20.0 daemon
[EET Mar 15 12:32:11] info     : 'jenkins-dev' Monit 5.20.0 started
[EET Mar 15 12:39:37] info     : Monit daemon with pid [5074] stopped
[EET Mar 15 12:39:37] info     : 'jenkins-dev' Monit 5.20.0 stopped
[EET Mar 15 12:40:28] info     : Starting Monit 5.20.0 daemon
[EET Mar 15 12:40:28] info     : 'jenkins-dev' Monit 5.20.0 started
[EET Mar 15 12:50:28] error    : 'ssh_logins' content match:
Mar 15 12:50:25 localhost sshd[5262]: Accepted publickey for admin from 194.***.***.26 port 33586 ssh2
[EET Mar 15 12:52:28] info     : 'ssh_logins' content doesn't match

And an email:

Obviously – such an approach may be used for anything just by changing the if match conditions.

For example – I have one site which is inaccessible for all excluding myself, so I added another rule:

check file nginx_web_access with path /var/log/nginx/example.com-access.log
  ignore match "/etc/monit/whitelist_ips.txt"
  if match "GET" then alert

Here on any GET-request from an IP not added to the white list – I’ll get an email alert.

The /etc/monit/whitelist_ips.txt may look like next:

setevoy@rtfm-do-production:~$ cat /etc/monit/whitelist_ips.txt
194.***.***.26
188.***.***.48

Here is one IP of my job’s network and another one – my home.

Done.

Similar posts

• 03/06/2019 Prometheus: blackbox-exporter probe_http_status_code == 0 and its debug (0)
• 03/10/2019 Prometheus: RTFM blog monitoring set up with Ansible – Grafana, Loki, and promtail (0)
• 02/07/2019 Grafana Labs: Loki – distributed system, labels and filters (0)
• 06/11/2018 Prometheus: AWS EC2 service discovery (0)