SSH user: logged in from IPAddress
Hello,
We have an cpanel server that sends emails about that a SSH user has been logged in.
This is correct because we have an script on an other server that connects every minute to update data.
What strange is, that we have entered the IP in de whitelist of bruteforce protection but we still receive these messages.
The message body is : SSH user: logged in from IPAddress: xxx.xxx.xxx.xxx at time: 15-09-23 11:23
How can we whitelist an SSH user or IP from sending these emails?
Regards
-
Hey there! First, you would want to confirm what emails these are. If these are being sent by CSF, the subject would be similar to this: "lfd on host.domain.com: WHM/cPanel root access alert from 1.2.3.4" If that is the case, I'm not sure if there is a way to disable that from a certain IP address, as this is the option from the CSF config file: # Send an email alert if anyone logs in successfully using SSH # # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read # this file about RESTRICT_SYSLOG before enabling this option: LF_SSH_EMAIL_ALERT = "1"" You could always configure a mail filter to sort email with that specific IP address into a separate folder, so you would still receive notifications if a different IP accesses the machines. 0 -
Hey there! First, you would want to confirm what emails these are. If these are being sent by CSF, the subject would be similar to this: "lfd on host.domain.com: WHM/cPanel root access alert from 1.2.3.4" If that is the case, I'm not sure if there is a way to disable that from a certain IP address, as this is the option from the CSF config file: # Send an email alert if anyone logs in successfully using SSH # # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read # this file about RESTRICT_SYSLOG before enabling this option: LF_SSH_EMAIL_ALERT = "1"" You could always configure a mail filter to sort email with that specific IP address into a separate folder, so you would still receive notifications if a different IP accesses the machines.
It appears that one of our colleagues had inadvertently made changes to the modt.d.sh script, which was causing the issue. They have since corrected the script, and everything is now functioning as expected. I apologize for any confusion or inconvenience this may have caused, and I appreciate your patience while we worked to resolve the issue. If you have any further questions or concerns, please don't hesitate to reach out. Script that was active:log_file=/var/log/sshlogins.log user=$(who am i|awk '{print $1}') ip=$(echo $SSH_CLIENT|awk '{print $1}') date=$(date +"%d-%m-%y %H:%M") hostname=$(hostname) excludeip=() excludeip+=("xxx.xxx.xxx.xxx") excludeip+=("xxx.xxx.xxx.xxx") message=$(echo -e "SSH user: $user logged in from IPAddress: $ip at time: $date") echo -e ======================================================================================================================================== echo -e ALERT! You are entering into a secured area! Your IP, Login Time, Username has been noted and has been sent to the server administrator! echo -e This service is restricted to authorized users only. All activities on this system are logged. echo -e Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies. if [ "$ip" != "" ]; then echo -e echo -e $message found="0" for i in "${excludeip[@]}" do if [ "$i" == "$ip" ] ; then found="1"; fi done if [ "$found" == "0" ] ; then mail -s "SSH cPanel Login notification ($hostname)" xxxx@xxxx.xxx <<< $message echo "email send." fi # Always write to log # echo $message > $log_file fi echo -e ========================================================================================================================================
0 -
I'm glad to see it was something custom! 0
Please sign in to leave a comment.
Comments
3 comments