Alert when connecting to SSH

    Based on the results of this question.

    As a rule, with standard settings during the establishment of a connection via SSH, no alerts appear on the server side. An attacker can take advantage of this - while you are quietly reading the Habr now, it may be that sensitive data is already being transferred from your computer. The described problem can be easily fixed.

    image

    When the connection is established, the script / etc / ssh / sshrc is executed , and it is impossible to prevent this from the client side. Create another alert script and put the command to run it in / etc / ssh / sshrc :

    /usr/local/alert/start.sh
    

    The script will display a message with important information through the notify-osd package and include a siren that attracts attention:

    #!/bin/bash
    export DISPLAY=:0
    notify-send "Security Warning" "SSH Connection Established with \"$USER\" $(echo $SSH_CONNECTION | sed 's/\(.*\) \(.*\) \(.*\) \(.*\)/from \1:\2 to \3:\4/')" -u critical -i /usr/local/alert/icon.png
    play /usr/local/alert/sound.wav > /dev/null 2>&1
    

    Here, we first set the current display for the correct operation of notify-osd, then we display a message with an icon and a note of critical importance, using the system variables $ USER (current user) and $ SSH_CONNECTION (connection data, which we convert to a well-readable view using regular sed expressions). After that, we lose the siren.

    Here you can also add sending a message to e-mail (using sendmail ) or Jabber (using sendxmpp ).

    For installation, you can simply unzip the contents of this archive to the root of the file system (this operation will erase the previous contents of sshrc!).

    Do not forget to also install the necessary libraries, in Ubuntu this is done like this:

    sudo apt-get install libnotify-bin sox
    

    UPD # 1: At the suggestions of users of bliznezz and Inflame, the script can be modified:

    #!/bin/sh
    export DISPLAY=:0
    notify-send "Security Warning" "Occured Login as user \"$USER\" $(echo $SSH_CONNECTION $SSH_TTY | sed 's/\(.*\) \(.*\) \(.*\) \(.*\) \(.*\)/using SSH connection at \5 from \1:\2 to \3:\4/')" -u critical -i /usr/local/alert/icon.png
    aplay -q /usr/local/alert/sound.wav
    

    And also add the code to /root/.bashrc :

    unset SSH_CONNECTION
    /usr/local/alert/start.sh
    

    Now the script will also signal when the shell starts as root.

    UPD # 2: The user neperap also noticed that if there is a file ~ / .ssh / rc in the user's home directory on the server , then it will be executed and the warning system will not work. Also, for correct execution, these scripts should not output text to the console.

    Also popular now: