Send email on login. How?

[raindog308]

I have a system that serves as an ssh access point for my home network. It was a Linux system but I'm moving it to OpenBSD.

Only ssh is permitted and I am the only person who would login. In Linux, I used this technique so that an email was sent every time someone logged in:

http://blog.th-neumeier.de/2011/02/s...gin-using-pam/

Unfortunately, that relies on on PAM, which OpenBSD doesn't use.

I'm wondering how I can achieve the same thing in OpenBSD?

Some thoughts I've had:

- Maybe it's a better idea to have something watch the auth log or receives auth system logs and sends emails? Then of course I have to find that something and configure it.
- I honestly haven't spent a lot of time with syslog and could research to see if it can send email or call arbitrary scripts.
- I could do this as part of my user .profile or as part of /etc/profile

I'm sure some security graybeard will come along and tell me why this is all silly and not adding to my security and that's fine, too :-)

[frcc]

My opinion if I understand you is:

Configure pf.conf to screen or filter users or source addresses using table.
You can limit login's from the network only or network and outside IP address's.
You can limit login's as well from certain users.

OpenBSD "suggests" that pf is the preferred method for filtering/screening than
using SSH.

Once set up in pf you can view log files as and when desired.

OpenBSD FAQ, man SSH, man SSHd, man pf should help you.

Also, take a look at setting up auto jobs in CRON if desired, if you don't use pf.

[e1-531g]

Quote:

Originally Posted by frcc

OpenBSD "suggests" that pf is the preferred method for filtering/screening than
using SSH.

But how pf would differentiate between unsuccessful login attempt or successful login attempt?
I know pf can be used against port scanning and some resource exhausting behaviors of malicious bots, but does it know whether login was successful?

[frcc]

Quote:

Originally Posted by e1-531g

But how pf would differentiate between unsuccessful login attempt or successful login attempt?
I know pf can be used against port scanning and some resource exhausting behaviors of malicious bots, but does it know whether login was successful?

Depending on the posters intention (which i am not exactly clear on)

He can use the "log" syntax in Pf which will create a log for any
blocked/dropped/passed packet he chooses. Packet filtering would pre-emt
any SSH login attempt based on his filter rules.

Also, the "table" syntax can be used to quickly determine sources to
be accepted or rejected in route to an SSH port.

One can filter users in SSH but if I remember correctly OpenBSD recommends performing
filtering in Pf. Also, OpenBSD points to using "table" as the fastest method of looking up those
sources that one wishes to filter if that number is significant.

The user can then audit Pf logs/failed login attemps or some other means of audit such as a
script of some sort possibly using CRON.

One could also use host (allow deny) but again OpenBSD recommends using Pf as its perferred
method.

I apologize if I am not understanding the posters intent, but if I want to filter almost anything
it would start with Pf, logs, and system logs.

[PapaParrot]

Maybe I am misunderstanding as well, but any way, I would look at
"login.conf"

Code:

 man login.conf

and then also the:

Code:

$ man motd

Quote:

MOTD(5) File Formats Manual MOTD(5)

NAME
motd - message of the day

Code:

# Authpf accounts get a special motd and shell
#
authpf:\
	:welcome=/etc/motd.authpf:\
	:shell=/usr/sbin/authpf:\
	:tc=default:

Instead of, or as well as displaying a welcome message, maybe a command to send a e-mail could be added ?

Does the OP know about the "last" command ?

Code:

man last

Quote:

LAST(1) General Commands Manual LAST(1)

NAME
last - indicate last logins of users, ttys, and hosts
=============
DESCRIPTION
The last utility will either list the sessions of specified users, ttys,
and hosts, in reverse time order, or list the users logged in at a
specified snapshot date and time in reverse time order. Each line of
output contains the user name, the tty from which the session was
conducted, any hostname, the start and stop times for the session, and
the duration of the session. If the session is still continuing or was
cut short by a crash or shutdown, last will so indicate.

The options are as follows:

-c Calculates the total time displayed and prints it after the
output.

-d date Specify the snapshot date and time. All users logged in at
the snapshot date and time will be reported. This may be used
with the -f option to derive the results from stored wtmp
files. When this argument is provided, all other options
except for -f and -n are ignored. The argument should be in
the form "[[[CC]YY]MMDD]hhmm[.SS]" where each pair of letters
represents the following:

I use it quite a bit to see who and when the last person to login to the server is/was. But I have never felt a need to have it (the system) send me a e-mail every time I or someone else logs in. How ever it might be possible to write some kind of script that sends the "snapshot" to a e-mail address , or something .
It sounds to me like that is all the OP wants, is that a e-mail is sent to them when someone does login, so for example if some one logged it as the admin, somehow, the OP would receive a e-mail showing that, but it still does not make much sense to me, if the OP is the only one that will be logging in, nobody else will be logging in, it does not make sense to me why they need a e-mail to tell them they logged in.
If the OP can clarify better exactly what it is they need or want to do, it would help.
====edited=====
I found this, but it is for Linux, how ever it does not require "PAM", : https://www.vultr.com/docs/enable-ss...ation-on-linux

Quote:

Open the file ~/.bashrc in a text editor.

Append the following lines:

Code:

IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)"
HOSTNAME=$(hostname)
NOW=$(date +"%e %b %Y, %a %r")

echo 'Someone from '$IP' logged into '$HOSTNAME' on '$NOW'.' | mail -s 'SSH Login Notification' YOUR_EMAIL_ADDRESS

The other thing, for example on my system, I am using ksh, instead of bash, there is no "bash" on my system, but it seems to me like the script could be modified for csh or ksh, depending,... or maybe you do use bash ?
I just now found this, and am not even sure this is what the OP is actually wanting, it seems like it is, any way, I have not had a chance to try modifying the script, there may be someone more expert then me that could help there, if it is what the OP wants to do.

[PapaParrot]

Experimented with the script, ended up putting it in my ~/.profile and it seems to work,
I just tried on a "localhost" situation, and it does send me a e-mail notice:
/home/garry/.profile

Code:

# $OpenBSD: dot.profile,v 1.4 2005/02/16 06:56:57 matthieu Exp $
#
# sh/ksh initialization

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
export PATH HOME TERM
PS1='Enter your command: '
IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)"
HOSTNAME=$(hostname)
NOW=$(date +"%e %b %Y, %a %r")
echo 'Someone from '$IP' logged into '$HOSTNAME' on '$NOW'.' | mail -s 'SSH Login Notification' garry@garry.garry.org

Quote:

from: garry <garry@garry.garry.org>
To: garry@garry.garry.org
Subject: SSH Login Notification

Someone from 127.0.0.1 logged into garry.garry.org on 30 Jun 2018, Sat 09:10:51 PM.

I am not positive this is what the OP is looking for though.
========== edit
I also tried it on my server, and used my regular e-mail address at a external e-mail service,
works great, sent me a e-mail, including the ip I logged in with.

Quote:

I'm sure some security graybeard will come along and tell me why this is all silly and not adding to my security and that's fine, too :-)

As far as security goes, it does nothing to improve security, if your security is good, you do not need to worry about any one besides you, or who ever is authorized logging in.
By the time you check your e-mail, who ever logged in would have done what they want to do and logged out again.
But any way, you would have a e-mail letting you know they logged in,... and you would then also know you had a security problem, it would be better just to make sure it is secure, and nobody else besides you can gain ssh access and login

[e1-531g]

Quote:

Originally Posted by frcc

He can use the "log" syntax in Pf which will create a log for any
blocked/dropped/passed packet he chooses. Packet filtering would pre-emt
any SSH login attempt based on his filter rules.

Also, the "table" syntax can be used to quickly determine sources to
be accepted or rejected in route to an SSH port.

But IP address can:
1. change
2. be spoofed

IMHO granting access just by having IP address isn't enough. SSH uses cryptography to authenticate users.
PF is good for blocking port scanning, DoS or small DDoS attacks, though.

[frcc]

e1-531g
I agree SSH IS the place for authentication if the traffic can get there.
Yes IP, and users CAN be spoofed.

As yet, we are not clear on the posters intention.
Does he want to obtain info on SSH logins/attempts because he monitors firewall activity?
Does he want to monitor/limit/be notified of SSH traffic from LAN/NET?
Does he want to limit himself as the only SSH user excluding others from inside or outside LAN/NET?
Does he simply want an email for any/all SSH logins?

I don't know.

GaryR ---- nice thinking ( I learn here)

Anyway, one could simply open a terminal window, initiate Tcpdump showing live traffic on port 22 or any other or all.

my 2 bits

[e1-531g]

Quote:

Originally Posted by GarryR

As far as security goes, it does nothing to improve security, if your security is good, you do not need to worry about any one besides you, or who ever is authorized logging in.
By the time you check your e-mail, who ever logged in would have done what they want to do and logged out again.
But any way, you would have a e-mail letting you know they logged in,... and you would then also know you had a security problem, it would be better just to make sure it is secure, and nobody else besides you can gain ssh access and login

I don't think so. It's best to not be hacked, but nevertheless it is good to know somebody hacked your OS. Usually you can't prevent against all consequences of being pwned, but you can:
1. See how it was done
2. Reinstall or reimage OS to state before pwning taken place and harden OS/infrastructure against being pwned again using info gathered in previous action
3. Inform your customers, change their passwords or keys. General data protection regulation (for those who run a business in EU or process data of EU customers) actually requires to inform your customers.

[jggimi]

Quote:

Originally Posted by e1-531g

2. be spoofed

Quote:

Originally Posted by frcc

Yes IP...

For UDP, yes. But for TCP, not quite. Packets might be injected by an attacker, but the attacker obtaining the response isn't possible without the attacker also being in control of a device along the response route path of the spoofed address.

[e1-531g]

Quote:

Originally Posted by jggimi

For UDP, yes. But for TCP, not quite. Packets might be injected by an attacker, but the attacker obtaining the response isn't possible without the attacker also being in control of a device along the response route path of the spoofed address.

Also hijacking IP address/subnet at BGP level is going to work.
Maybe some MitM attacks when adversary and victim are on the same LAN network and LAN network is not well protected or at least monitored.
Anyway IP addresses provided by ISPs usually are changing from time to time, so in this case OP would need to allow not one, particular IP address but some subnet containing a lot of IP addresses.

[jggimi]

Quote:

...at BGP level...

That would then be "in control of a device along the response route path."

[raindog308]

Quote:

Originally Posted by GarryR

As far as security goes, it does nothing to improve security, if your security is good, you do not need to worry about any one besides you, or who ever is authorized logging in.
By the time you check your e-mail, who ever logged in would have done what they want to do and logged out again.
But any way, you would have a e-mail letting you know they logged in,... and you would then also know you had a security problem, it would be better just to make sure it is secure, and nobody else besides you can gain ssh access and login

Whether it improves security or not is a bit theoretical. It's more intrusion detection. If someone logs in, I get an email - I'd rather get an email and know I was hacked than never know.

Of course, there are other attack scenarios - nothing is a global silver bullet.

The specifics since I wasn't very clear:

- if you ssh to my home, you land on an OpenBSD ssh server. I do change the port my router forwards just to slow down how much garbage is logged from skiddies, though of course changing the port doesn't improve security per se.
- that server already has pf rules that only permit logins from certain systems on the Internet
- it only allows ssh keys, not passwords
- all other normal security measures: services turned off, good passwords, etc.

Adding email notification is a bit of icing.

[PapaParrot]

Ok, I understand, Does the script I showed do what you want ?

Or do you need something more, that shows anyone the logs in, not just as "you", but other users or services ?
In your first post you said it was just you ,

Quote:

Only ssh is permitted and I am the only person who would login. In Linux, I used this technique so that an email was sent every time someone logged in:

I have been doing some searches, and there is a lot of information, but what is not clear, exactly what you want the e-mail that gets sent to contain.
For example, if you want to get a e-mail notice , if and when someone logs in as root,
you can do that, but it opens a can of worms since there are services that the system uses, and they log in as root, you end up getting a huge amount of e-mails,....
I am not any expert at all, but if some expert wanted to help you configure the system to send e-mail notices, that can be done, however they would need a more clear description as to what the notices should contain.

Here are some links that might help you:
https://ftp.openbsd.org/pub/OpenBSD/...rtable/INSTALL
===========
https://en.wikipedia.org/wiki/BSD_Authentication

Quote:

BSD Authentication, otherwise known as BSD Auth, is an authentication framework and software API employed by OpenBSD and accompanying software such as OpenSSH. It originated with BSD/OS, and although the specification and implementation were donated to the FreeBSD project by BSDi, OpenBSD chose to adopt the framework in release 2.9. Pluggable Authentication Modules (PAM) serves a similar purpose on other operating systems such as Linux, FreeBSD and NetBSD.

======================
https://man.openbsd.org/authenticate.3
========================
https://man.openbsd.org/login_radius.8
==============
There is a lot more, use the keywords:

Code:

BSD auth for OpenBsd

In a search engine, you should get quite a few results.

[frcc]

Nice work/research GaryR
I like learning, and experiencing different ways of skinning the cat.
Hope the word "cat" didn't frighten the parrots!

[PapaParrot]

I have been looking at this, https://serverfault.com/questions/32...messages-to-me

But there is some things I am not understanding:

Quote:

Notifications via syslogd(8)

On my OpenBSD server, I log and email important messages from my web applications, which use facility local1. Here is my /etc/syslog.conf to make it happen:

Code:

local1.err    /var/log/example.com
local1.err    |while read log; do echo "$log" | /usr/bin/mail -s SYSLOG me@example.com; done

I am not sure what the facility is, does that need to be created, or for example, using localhost, would it be "local0.err" ? The other thing :/var/log/example.com
What should "example.com" be, is that a file I create, using my host name as the file name ?
If it was me, I would want it to only send me the "authlog", and nothing else.
The "authlog" shows when ever anyone/anything succeeds logging in, so it seems like that would be a good one to receive by e-mail, to see when someone logged in.
How ever based on the example in the above link, it does not work for me.

[IdOp]

Quote:

Originally Posted by GarryR

I am not sure what the facility is, does that need to be created, or for example, using localhost, would it be "local0.err" ?

Fortunately, you don't have to create the facility.

The facilities, such as local1, are pre-defined within the syslog system. A good place to start reading about them is the configuration file man page syslog.conf(5).

So, programs (often daemons) will use syslog to log various messages they have, and use the existing facilities to log to, at various logging levels which are used to distinguish the importance of the message. If the program is well-documented the man page (or other material) should explain what facility it uses and what kind of things it sends at a given level. Not all programs may do this clearly (they may after all not be part of the OS), in which case as user you have to do more detective work to find what you want.

[PapaParrot]

Ok, thanks, I had looked at syslog.conf(5), but missed where it says about facilities but now I see it.