tdussa/notify_new_login.sh

## notify_new_login.sh
#! /usr/bin/env bash
##
## New IP login notification script
## 2009-11-20 00:28 Samuele ~redShadow~ Santi
## 2018-06-04 12:53 ElliotNB
## 2018-10-17 17:55 ElliotNB - bug fixes for non-interactive sessions and `sudo su` commands
## 2019-08-27 16:15 mbest - update geoip lookup awk syntax, add mktemp for temporary directory,
##                        - add delete TMP_DIR function and trap to delete it for assurance,
##                        - change emails to example.com, add xargs to trim output
## 2024-06-10T08:25Z tdussa - Removed GeoIP lookup
## 2024-06-10T12:45Z tdussa - Fixed `last` call so IPv6 addresses are not truncated
## 2024-06-10T13:10Z tdussa - Removed `mutt` dependency
## 2024-06-10T13:30Z tdussa - Removed absolute path from `mail` call, made bang line more general
## 2024-06-10T13:40Z tdussa - Moved attachments into mail text for compatibility
## 2024-07-03T07:40Z tdussa - Made mail subject more concise
## 2024-07-03T07:45Z tdussa - Set default mail recipient to `root`
## 2024-07-04T08:40Z tdussa - Made netstat silent if run by regular user
## 2024-07-04T10:00Z tdussa - Added possibility for external recipient definition
##
## Licensed under GPL
##
## This script will email the contact specified below whenever
## a user logs into the system from a new IP address. The email will contain the
## username and IP address for the login as well as current system
## stats (running processes, other logged in users, network connections, etc).
##
## Installation:
##     - Copy and paste this script into /etc/profile.d/notify_new_login.sh
##     - Put desired recipient address in /etc/default/notify_new_login in the
##       format as below or edit the variable below directly
##
## Configuration:
NOTIFY_ADDR="root"
[[ -e /etc/default/notify_new_login ]] && source /etc/default/notify_new_login

LOG_USER="$( whoami )"
LOG_DATE="$( date "+%Y-%m-%dT%H:%M:%S%:::z" )"
LOG_IP="$( echo ${SSH_CLIENT} | awk '{ print $1 }' )"

# if this is an interactive shell and we were able to capture an IP address, then proceed
if ! [ -z "$PS1" ] && ! [ -z "$LOG_IP" ]; then
	# if this user and IP address combination is not present in our logs
	if ! [[ $(last $LOG_USER -ai |grep -v still |grep $LOG_IP) ]]; then
		mail -s "[NEW LOGIN] ${LOG_USER}@$(hostname) from ${LOG_IP}" "${NOTIFY_ADDR}" <<EOF
----------------------
NEW LOGIN NOTIFICATION
----------------------

Host:   $(hostname)
User:   ${LOG_USER}
IP:	${LOG_IP}
Date:   ${LOG_DATE}
        $(date)
Uptime: $(uptime)

--- Logged-in users ----------------------------------------------------
$(who)

--- Netstat ------------------------------------------------------------
$(netstat -n)

--- Netstat listening --------------------------------------------------
$(netstat -tulpen 2> /dev/null)

--- Processes ----------------------------------------------------------
$(ps fauxw)

EOF
	fi
fi
	#! /usr/bin/env bash
	##
	## New IP login notification script
	## 2009-11-20 00:28 Samuele ~redShadow~ Santi
	## 2018-06-04 12:53 ElliotNB
	## 2018-10-17 17:55 ElliotNB - bug fixes for non-interactive sessions and `sudo su` commands
	## 2019-08-27 16:15 mbest - update geoip lookup awk syntax, add mktemp for temporary directory,
	## - add delete TMP_DIR function and trap to delete it for assurance,
	## - change emails to example.com, add xargs to trim output
	## 2024-06-10T08:25Z tdussa - Removed GeoIP lookup
	## 2024-06-10T12:45Z tdussa - Fixed `last` call so IPv6 addresses are not truncated
	## 2024-06-10T13:10Z tdussa - Removed `mutt` dependency
	## 2024-06-10T13:30Z tdussa - Removed absolute path from `mail` call, made bang line more general
	## 2024-06-10T13:40Z tdussa - Moved attachments into mail text for compatibility
	## 2024-07-03T07:40Z tdussa - Made mail subject more concise
	## 2024-07-03T07:45Z tdussa - Set default mail recipient to `root`
	## 2024-07-04T08:40Z tdussa - Made netstat silent if run by regular user
	## 2024-07-04T10:00Z tdussa - Added possibility for external recipient definition
	##
	## Licensed under GPL
	##
	## This script will email the contact specified below whenever
	## a user logs into the system from a new IP address. The email will contain the
	## username and IP address for the login as well as current system
	## stats (running processes, other logged in users, network connections, etc).
	##
	## Installation:
	## - Copy and paste this script into /etc/profile.d/notify_new_login.sh
	## - Put desired recipient address in /etc/default/notify_new_login in the
	## format as below or edit the variable below directly
	##
	## Configuration:
	NOTIFY_ADDR="root"
	[[ -e /etc/default/notify_new_login ]] && source /etc/default/notify_new_login

	LOG_USER="$( whoami )"
	LOG_DATE="$( date "+%Y-%m-%dT%H:%M:%S%:::z" )"
	LOG_IP="$( echo ${SSH_CLIENT} \| awk '{ print $1 }' )"

	# if this is an interactive shell and we were able to capture an IP address, then proceed
	if ! [ -z "$PS1" ] && ! [ -z "$LOG_IP" ]; then
	# if this user and IP address combination is not present in our logs
	if ! [[ $(last $LOG_USER -ai \|grep -v still \|grep $LOG_IP) ]]; then
	mail -s "[NEW LOGIN] ${LOG_USER}@$(hostname) from ${LOG_IP}" "${NOTIFY_ADDR}" <<EOF
	----------------------
	NEW LOGIN NOTIFICATION
	----------------------

	Host: $(hostname)
	User: ${LOG_USER}
	IP: ${LOG_IP}
	Date: ${LOG_DATE}
	$(date)
	Uptime: $(uptime)

	--- Logged-in users ----------------------------------------------------
	$(who)

	--- Netstat ------------------------------------------------------------
	$(netstat -n)

	--- Netstat listening --------------------------------------------------
	$(netstat -tulpen 2> /dev/null)

	--- Processes ----------------------------------------------------------
	$(ps fauxw)

	EOF
	fi
	fi