Alert when connecting to SSH
According to the results of this question.
As a rule, with standard settings during the connection setup via SSH, no alerts on the server side appear. An attacker can take advantage of this - while you are quietly reading Habr, it is possible that confidential data is already being transferred from your computer. The described problem can be easily fixed.
When the connection is established, the / etc / ssh / sshrc script is executed , and it is impossible to prevent this from the client. Create another script for the alert and put the command to run it in / etc / ssh / sshrc :
')
The script will display a message with important information through the notify-osd package and include the attention-grabbing siren:
Here, we first set the current display for notify-osd to work properly, then we display a message with an icon and a note of critical importance using the system variables $ USER (current user) and $ SSH_CONNECTION (connection data, which we will convert to a well-readable form using regular expressions by the sed utility). After that we lose the siren.
Here you can add and send messages to e-mail (using sendmail ) or Jabber (using sendxmpp ).
To install, you can simply unpack the contents of this archive into the root of the file system (this operation will erase the previous contents of sshrc!).
Do not forget to install the necessary libraries, in Ubuntu it is done like this:
UPD # 1: According to suggestions from users bliznezz and Inflame script can be modified:
And also add to /root/.bashrc code:
Now the script will also signal when the shell is started by the root user.
UPD # 2: The user neperap also noticed that if there is a file ~ / .ssh / rc in the user's home directory on the server, then it will be executed, and the warning system will not work. Also, for correct execution, these scripts should not output text to the console.
As a rule, with standard settings during the connection setup via SSH, no alerts on the server side appear. An attacker can take advantage of this - while you are quietly reading Habr, it is possible that confidential data is already being transferred from your computer. The described problem can be easily fixed.
When the connection is established, the / etc / ssh / sshrc script is executed , and it is impossible to prevent this from the client. Create another script for the alert and put the command to run it in / etc / ssh / sshrc :
')
/usr/local/alert/start.sh The script will display a message with important information through the notify-osd package and include the attention-grabbing siren:
#!/bin/bash export DISPLAY=:0 notify-send "Security Warning" "SSH Connection Established with \"$USER\" $(echo $SSH_CONNECTION | sed 's/\(.*\) \(.*\) \(.*\) \(.*\)/from \1:\2 to \3:\4/')" -u critical -i /usr/local/alert/icon.png play /usr/local/alert/sound.wav > /dev/null 2>&1 Here, we first set the current display for notify-osd to work properly, then we display a message with an icon and a note of critical importance using the system variables $ USER (current user) and $ SSH_CONNECTION (connection data, which we will convert to a well-readable form using regular expressions by the sed utility). After that we lose the siren.
Here you can add and send messages to e-mail (using sendmail ) or Jabber (using sendxmpp ).
To install, you can simply unpack the contents of this archive into the root of the file system (this operation will erase the previous contents of sshrc!).
Do not forget to install the necessary libraries, in Ubuntu it is done like this:
sudo apt-get install libnotify-bin sox UPD # 1: According to suggestions from users bliznezz and Inflame script can be modified:
#!/bin/sh export DISPLAY=:0 notify-send "Security Warning" "Occured Login as user \"$USER\" $(echo $SSH_CONNECTION $SSH_TTY | sed 's/\(.*\) \(.*\) \(.*\) \(.*\) \(.*\)/using SSH connection at \5 from \1:\2 to \3:\4/')" -u critical -i /usr/local/alert/icon.png aplay -q /usr/local/alert/sound.wav And also add to /root/.bashrc code:
unset SSH_CONNECTION /usr/local/alert/start.sh Now the script will also signal when the shell is started by the root user.
UPD # 2: The user neperap also noticed that if there is a file ~ / .ssh / rc in the user's home directory on the server, then it will be executed, and the warning system will not work. Also, for correct execution, these scripts should not output text to the console.
Source: https://habr.com/ru/post/117834/
All Articles