Apple - Getting notified when someone logs into a server using SSH or Remote Desktop

Your best defence is always to turn off unnecessary services. If you're not using remote desktop: turn it off. If you're not using the HTTP or FTP servers: turn them off. Fewer services running, fewer points of entry for possibly intruders to exploit.

Aside from locking it down, there are some free and open source products that are OS X friendly you can look at to do intrusion detection on your machine.

Snort

Though I haven't personally run it, I do have colleagues who know and trust it for intrusion detection. It's BSD-compatible so it makes a it a good fit for OS X. Another upside to going with Snort is it's available as a Homebrew package:

> brew info snort
snort 2.9.0.5
http://www.snort.org
Depends on: daq, libdnet, pcre
Not installed
https://github.com/mxcl/homebrew/commits/master/Library/Formula/snort.rb

==> Caveats
For snort to be functional, you need to update the permissions for /dev/bpf*
so that they can be read by non-root users.  This can be done manually using:
    sudo chmod 644 /dev/bpf*
or you could create a startup item to do this for you.

So you get a simplified path to installation and some trust in the fact that it ports well to OS X and runs there. With Homebrew installed you only need to do:

> brew install snort

And you're ready to get started with it.

Check out this Snort for OS X Lion Server setup guide that the Snort community provides to get started with rule writing for your OS X machine. That's a great document and, in addition to walking through installing Snort from source (which you don't need to do), it talks about all the things you should do your OS X Lion Server instance to help protect it. If you install via Homebrew, start at Section 5 (page 13) in the PDF since you don't need to worry about installing it from source code.

Tripwire

I've run Tripwire on linux machines to do rapid intrusion detection and alerting. It's effective but it's a bit of a beast to set up. It can perform actions when rules are matched against log files. Of course, a savvy hacker is going to know to disable Tripwire as soon as they break in so they don't end up with their session getting cut off.

The MacWorld hint talks about setting up Tripwire on OS X. It's not simple and the article ends with mentioning that it's not been tested.

You can harden ssh and install denyhosts, sshguard, and Snort, Barnyard, Base and Swatch.

See these links for details:

https://discussions.apple.com/thread/3565475 https://discussions.apple.com/thread/4473229?tstart=0

1. Turn off root and password logins:

   vi /etc/sshd_config

   PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthenticatio no

   Then use ssh-keygen on the remote client to generate public/private keys that can be used to remotely login to the server:  

   client$ ssh-keygen -t rsa -b 2048 -C client_name [Securely copy ~/.ssh/id_rsa.pub from client to server.] server$ cat id_rsa.pub > ~/.ssh/known_hosts  

2. Install denyhosts and sshguard.

   • sudo port install denyhosts sshguard
   • sudo port load denyhosts
   • sudo port load sshguard

   You can configure denyhosts to block all traffic, not just ssh traffic.

3. Snort, with a world map of attacks:

   https://discussions.apple.com/thread/4473229?tstart=0

To directly answer the question posed. I have another script that emails me, again, around midnight, if anyone successfully logs in via ssh.

#!/usr/bin/env bash

mm=`date +%b`
dd=`date $1 +%d`
dd=`expr $dd`
if [ "$dd" -ge "10" ]
  then 
    dt=`echo "$mm $dd"` 
  else 
    dt=`echo "$mm  $dd"` 
fi

cat /var/log/secure.log | grep -E '(Accepted|SUCCEEDED)'| grep -E -v '(my.ip.address|192.168.1)' | grep "$dt" >> /tmp/access_granted

/usr/bin/mail -E -s "Access granted" [email protected] < /tmp/access_granted
rm /tmp/access_granted

Edit the grep above to exclude your own fixed IP, if you want, and to use your email address. You can combine some of the code in my other answer to add failures for VNC.