Email on activity on server

Out of experience: don't. Please. E-mail "activity" leaves the boring job (parsing) on your side, which means that after a few weeks of false positives you stop paying attention. Then when an attack happens, you don't notice it.

Also there are other attack vectors that won't involve logins: imagine what happens if somebody exploits a vulnerable service, and tricks it into executing some code.

Or if you have a web application running on that server, and somebody steals that app credentials to duplicate the data stored in a db.

Or if somebody does a "su - user" into a username that's allowed to work.

Furthermore: even if you were to know that somebody actually logged in, what would you do? Shut down the server? Login and close his or her session? The damage might be done already by the time you wake up and check your mail. And what happens when you restored the server from the backup? Do you have time to patch it?

Security is much more than an e-mail. You have to think like the bad guys to understand what they can do, how, why, and which one is the weakest link of the security chain (hint: it's usually located between keyboard and chair).

Since you mention debian, here's a link to securing debian.

Your answer is OSSEC. It is an open source tool that monitor your logs, files and has all sort of email alerts, active responses, etc.

It is very simple to install and by default it will start sending emails on brute force attacks, web-based attacks, etc. To enable emails for logins,logouts, or anything else is just a matter of quickly editing a XML file.

Link: http://www.ossec.net

Debian? In regards to ssh-login?

Write a script that monitor auth.log and e-mail activity to you?

Question is: When is someone actually allowed to work on them, who allows them and is it a predefined time interval and dates?