登陸Linux伺服器時觸發郵件提醒
阿新 • • 發佈:2019-05-24
目前,客戶只能在發現數據或者虛擬機器被惡意侵入或者使用者的誤操作導致了資料的丟失之後,採取善後的手段,但是並沒法做到提前的預警。那麼通過 PAM 模組,就可以實現使用者登入及獲取root 許可權時,通過郵件的方式進行通知。以實現預先知道、預先警惕的目標,同時降低受影響的範圍。以下是通過 PAM 模組實現的郵件通知使用者登入的功能
1.建立指令碼(/tmp/ssh/login_notify.sh),備註:該指令碼可存放在伺服器的任意位置,但是需要將後續的路徑指定好
[root@hlmcen75n1-gen-um waagent]# cat /tmp/ssh/login_notify.sh
#!/bin/bash
[ "$PAM_TYPE" = "open_session" ] || exit 0
{
echo "User: $PAM_USER"
echo "Ruser: $PAM_RUSER"
echo "Rhost: $PAM_RHOST"
echo "Service: $PAM_SERVICE"
echo "TTY: $PAM_TTY"
echo "Date: `date`"
echo "Server: `uname -a`"
} | mail -s "`hostname -s` $PAM_SERVICE login: $PAM_USER" [email protected]
2.給指令碼(/tmp/ssh/login_notify.sh)新增可執行許可權
[root@hlmcen75n1-gen-um ~]# chmod +x /tmp/ssh/login_notify.sh
3.編輯檔案(/etc/pam.d/sshd),在檔案最後追加一行(session optional pam_exec.so debug /bin/bash /tmp/ssh/login_notify.sh)
[root@hlmcen75n1-gen-um waagent]# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare session optional pam_exec.so debug /bin/bash /tmp/ssh/login_notify.sh
4.至此,每一個使用者登入都會發郵件通知給收件人,內容包括使用者名稱以及登入的 IP 地址資訊。如果遇到陌生 IP,那麼就要注意。以此來判斷該虛擬機器是否正在遭受攻擊,郵件示例如下:
5.同理,你可以在把上述指令碼應用到 /etc/pam.d/ 其他模組中,比如 sudo,login 等,來進行監控
參考連結:https://docs.azure.cn/zh-cn/articles/azure-operations-guide/virtual-machines/linux/aog-virtual-machines-linux-security-reinforce
&n