Email notification about each SSH connection to Linux server

Since you clarified that you want an email for each successful authentication, pam_notify is a great candidate module for this.

Add it as a session required line at the end of your /etc/pam.d/sshd or equivalent file.

The best practice is don't unless you REALLY have to (the security of this machine is THAT critical).

If you REALLY have to, you don't want to muck about with shell .rc files that people can change - that's a half-baked solution.

The Right Way is probably to use the audit facilities built into Linux (see the man pages for auditd, and its configuration file auditd.conf), but I have very limited experience with the audit facilities in Linux (in particular I'm not sure the audit subsystem makes it easy to send emails -- I know you can on FreeBSD without too much trouble though).

The less-right-but-still-decent way would be to use a PAM module that always succeeds and kicks out an email saying who tried to log in.

The least-right-but-at-least-your-inbox-isnt-full way would be to batch up your auth.log file or equivalent and email it to someone every night. If all you need is a basic record this would be my choice: The volume of email generated from my other suggestions would be heinous on a system with lots of activity.

you can monitor your /var/log/auth.log periodically or even better make it remote logging so attacker cannot wipe out the trace of successful logging in.

Since this question has been brought up from the vaults, my inclination would be to run swatch against /var/log/auth.log (or your distro / syslog config's appropriate file), and configure it to respond with an email to each occurrence of sshd.*Accepted.*, since this should catch both password-based and key-based logins:

Feb 21 10:06:44 lory sshd[24414]: Accepted publickey for username from ::1 port 39197 ssh2
Feb 21 10:08:16 bill sshd[20643]: Accepted password for username from ::1 port 46835 ssh2

which you could do with a config file saying, e.g.,

watchfor /sshd.*Accepted.*/
               mail [email protected],subject="SSH login on host foo"

and e.g. swatch -c /the/above/file /var/log/auth.

We do it by creating a file /etc/profile.d/notify.sh with the following content:

#!/bin/sh

sender="[email protected]"
recepient="[email protected]"
subject="Privileged Account logon used"
message="`env`"
    echo "$message" | mail -s "$subject" -r "$sender" -S smtp=mail.example.com "$recepient"

I recently developed my own solution for this problem, which involves monitoring log-files for different services (sshd included), and notifying a single e-mail when certain users gain access to certain services.

I call it Authentication Monitor and you can find more information about it here: http://bwyan.dk/?p=1744

I hope this could be what you are looking for.

I published a bash script on Github Gist that does what you're looking for. It will email the system administrator anytime a user logs in from a new IP address. I use the script scrutinize logins on our tightly controlled production systems. If a login is compromised, we'd get notified about the unusual login location and have a chance to lock them out of the system before they cause serious damage.

To install the script, just update it with your sysadmin email, and copy it into /etc/profile.d/.