When administering a Linux server, especially when several people share root access (with sudo, don’t give out that root password!) – it’s important to know when other root users are logged in. This is also a simple form of intrusion detection, since as soon as someone logs into the root shell an email will be dispatched out.
This only happens when the .bashrc file is executed; just using the “sudo” command will not trigger this, but “sudo su – ” will. I also used “chattr +i” to the .bashrc file to set the immutable bit, so the file cannot be modified or changed, not even by the root user. On my server, it also sends a text message to my phone as soon as someone logs in as root. The message will show the username that executed the sudo command, and the IP address that the user is remotely logged in from.
echo -e “`date`\n`who -m –ips|awk ‘{print $1” “$5}’|sed -e ‘s|(||g’ -e ‘s|)||g’ -e ‘s|-|.|g’|cut -d: -f1`” | mail -s “root login alert” email@yourdomain.com
Here’s what the script outputs in the message that it emails:
Tue May 18 15:22:23 CDT 2010
username 123.123.123.123
1 Comment
This is of course easily defeated, which makes it more dangerous then having it. You could make this much better by NOT sticking it in the .bashrc file, since users can simply change the default shell or change permissions or just rewrite the file, especially if they have root access. It’d be much better to limit root access (since most “need root” problems can be solved with the proper application of groups) and to make use of the sudo log, since it was built specifically for this. Just use visudo to edit your sudoers file to enable logging, and then lock down all your other users root abilities, since it’s unlikely they need full root anyways.