Skip to main content

SSH user: logged in from IPAddress

Comments

3 comments

  • cPRex Jurassic Moderator
    Hey there! First, you would want to confirm what emails these are. If these are being sent by CSF, the subject would be similar to this: "lfd on host.domain.com: WHM/cPanel root access alert from 1.2.3.4" If that is the case, I'm not sure if there is a way to disable that from a certain IP address, as this is the option from the CSF config file: # Send an email alert if anyone logs in successfully using SSH # # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read # this file about RESTRICT_SYSLOG before enabling this option: LF_SSH_EMAIL_ALERT = "1"" You could always configure a mail filter to sort email with that specific IP address into a separate folder, so you would still receive notifications if a different IP accesses the machines.
    0
  • YellowboxNL
    Hey there! First, you would want to confirm what emails these are. If these are being sent by CSF, the subject would be similar to this: "lfd on host.domain.com: WHM/cPanel root access alert from 1.2.3.4" If that is the case, I'm not sure if there is a way to disable that from a certain IP address, as this is the option from the CSF config file: # Send an email alert if anyone logs in successfully using SSH # # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read # this file about RESTRICT_SYSLOG before enabling this option: LF_SSH_EMAIL_ALERT = "1"" You could always configure a mail filter to sort email with that specific IP address into a separate folder, so you would still receive notifications if a different IP accesses the machines.

    It appears that one of our colleagues had inadvertently made changes to the modt.d.sh script, which was causing the issue. They have since corrected the script, and everything is now functioning as expected. I apologize for any confusion or inconvenience this may have caused, and I appreciate your patience while we worked to resolve the issue. If you have any further questions or concerns, please don't hesitate to reach out. Script that was active: log_file=/var/log/sshlogins.log user=$(who am i|awk '{print $1}') ip=$(echo $SSH_CLIENT|awk '{print $1}') date=$(date +"%d-%m-%y %H:%M") hostname=$(hostname) excludeip=() excludeip+=("xxx.xxx.xxx.xxx") excludeip+=("xxx.xxx.xxx.xxx") message=$(echo -e "SSH user: $user logged in from IPAddress: $ip at time: $date") echo -e ======================================================================================================================================== echo -e ALERT! You are entering into a secured area! Your IP, Login Time, Username has been noted and has been sent to the server administrator! echo -e This service is restricted to authorized users only. All activities on this system are logged. echo -e Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies. if [ "$ip" != "" ]; then echo -e echo -e $message found="0" for i in "${excludeip[@]}" do if [ "$i" == "$ip" ] ; then found="1"; fi done if [ "$found" == "0" ] ; then mail -s "SSH cPanel Login notification ($hostname)" xxxx@xxxx.xxx <<< $message echo "email send." fi # Always write to log # echo $message > $log_file fi echo -e ========================================================================================================================================
    0
  • cPRex Jurassic Moderator
    I'm glad to see it was something custom!
    0

Please sign in to leave a comment.