The task is to send an email alert when SSH-login was made from an IP which is now whitelisted.
Will use Monit here.
Install it:
root@jenkins-dev:/home/admin# apt update && apt -y install monit
Configure email settings: set localhost (we have a local exim here), email’s format and email’s receiver.
Edit the /etc/monit/monitrc file:
...
set mailserver localhost
set mail-format {
from: Monit <monit@$HOST>
subject: monit alert -- $EVENT $SERVICE
message: $EVENT Service $SERVICE
Date: $DATE
Action: $ACTION
Host: $HOST
Description: $DESCRIPTION
Your faithful employee,
Monit
}
set alert user@example.com
Now add the rules file /etc/monit/conf.d/ssh_alerts.conf:
check file ssh_logins with path /var/log/auth.log
ignore match "/etc/monit/whitelist_ips.txt"
if match "Accepted publickey" then alert
Check the documentation about IGNORE here>>> and about email’s formatting – here>>>.
If instead of key-based authorization password-based is used – change “Accepted publickey” to “Accepted password“.
Now in the /etc/monit/whitelist_ips.txt file add the 1.1.1.1 IP – after testing will set a real one(s):
Restart the monitservice:
root@jenkins-dev:/home/admin# systemctl restart monit
Check how it’s working – login to a server:
12:50:21 [setevoy@setevoy-arch-work ~] $ sshjenkinsdev
...
admin@jenkins-dev:~$
Check Monit’s logs:
root@jenkins-dev:/home/admin# tail -f /var/log/monit.log
Stored in '/var/lib/monit/id'
[EET Mar 15 12:32:11] info : Starting Monit 5.20.0 daemon
[EET Mar 15 12:32:11] info : 'jenkins-dev' Monit 5.20.0 started
[EET Mar 15 12:39:37] info : Monit daemon with pid [5074] stopped
[EET Mar 15 12:39:37] info : 'jenkins-dev' Monit 5.20.0 stopped
[EET Mar 15 12:40:28] info : Starting Monit 5.20.0 daemon
[EET Mar 15 12:40:28] info : 'jenkins-dev' Monit 5.20.0 started
[EET Mar 15 12:50:28] error : 'ssh_logins' content match:
Mar 15 12:50:25 localhost sshd[5262]: Accepted publickey for admin from 194.***.***.26 port 33586 ssh2
[EET Mar 15 12:52:28] info : 'ssh_logins' content doesn't match
And an email:
Obviously – such an approach may be used for anything just by changing the if match conditions.
For example – I have one site which is inaccessible for all excluding myself, so I added another rule:
check file nginx_web_access with path /var/log/nginx/example.com-access.log
ignore match "/etc/monit/whitelist_ips.txt"
if match "GET" then alert
Here on any GET-request from an IP not added to the white list – I’ll get an email alert.
The /etc/monit/whitelist_ips.txt may look like next:
setevoy@rtfm-do-production:~$ cat /etc/monit/whitelist_ips.txt
194.***.***.26
188.***.***.48
Here is one IP of my job’s network and another one – my home.
Done.
Similar posts
- 03/06/2019 Prometheus: blackbox-exporter probe_http_status_code == 0 and its debug (0)
- 03/10/2019 Prometheus: RTFM blog monitoring set up with Ansible – Grafana, Loki, and promtail (0)
- 02/07/2019 Grafana Labs: Loki – distributed system, labels and filters (0)
- 06/11/2018 Prometheus: AWS EC2 service discovery (0)
Top comments (0)