cpanel - whm notification

[cpwhmsec]

hello

is it possible get a instant emailnotification ( ip and user agent) when someone log into whm or cpanel?

apf is installed so i can't install csf

[southcoastweb]

Hi,
My VPS server has recently been hacked, and i found on a forum that the hacker was boasting on that he accessed my root thorugh weak password.
(now changed to a 100% strength one)
He deleted at least 2 of my clients websites (idiot!!).
Any way I am worried that the hacker still has access to my whm, so i to would like a script to email me on login to WHM or at least some kind of LOG file i can easily read..
Any Suggestions??
I am running csf which is now set to high..
I cannot see any access on the lfd log at the time the hack took place so im guessing it happened through a webpage.

[southcoastweb]

Because i am so paranoid now i have been hunting for an answer to this..

I have found this elsewhere :-

If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.

Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo ‘ALERT – Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” your@email.com

Save and exit.

Set an SSH Legal Message

To an SSH legal message, SSH into server and login as root.

At command prompt type:
pico /etc/motd

Enter your message, save and exit.
Note: I use the following message…

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies

Im going to try in a bit and i will report back to you.

[southcoastweb]

This worked perfectly for me...

If anyone uses the ssh to enter root,

It Flags up a big warning, then it quietly emails me

access time and ip address they are using to log in.

Hope this solves your problem.

I had to install the mail script though on my server as it came up with an error.

i used:

Code:

# yum install mailx

[JordiCS]

Hello,

This SSH alert method is good if you don't have CSF installed, but this way you are not being alerted when someone accesses WHM. If you have CSF, it is very easy to configure it for sending you alerts in both cases. On its configuration page, look for:

# Send an email alert if anyone logs in successfully using SSH
# Send an email alert if anyone accesses WHM via root

and set them to 1.

Regards,