Following on from my earlier post on how to set up Dead simple CentOS server monitoring with Monit and Pushover, I recently added monitoring for ssh logins. I wanted to be able to see who is logging into my servers and be notified if anyone not authorised gained access. If you already have set up a Monit and Pushover system then this just requires adding of an extra monit.conf file.
Create the ssh logins monit .conf file with the following.
# nano /etc/monit.d/ssh_logins.conf check file ssh_logins with path /var/log/secure #Ignore login's from whitelist ip addresses ignore match "/var/www/ignore_ips.txt" if match "Accepted publickey" then exec "/usr/local/bin/pushover.sh" if match "Accepted password" then exec "/usr/local/bin/pushover.sh"
If you want to be able to ignore logins from certain IP addresses (i.e. your own) then create a text file with the list of IP address to be ignored (one per line).
# nano /var/www/ignore_ips.txt 220.127.116.11 18.104.22.168 ...
Check that all the .conf file are correct
# monit -t
If everything is fine then restart monitoring by reloading the new .conf files.
# monit reload
Now anytime someone logs in to the server you will be sent notification. The only downside is that notification takes around a minute to occur since the notification is only pushed once monit checks the secure logfile. It is possible to get instant notification by using pam_exec, but that is another post.