WebVeta - Advanced, unified, consistent search for your website(s), from content of your website(s), blogs(s). First 50 customers, who sign-up prior to 15/05/2024 get unlimited access to existing features, newer features for at least 1 year. Sign up now! https://webveta.alightservices.com/
Categories
Security

How to get alerts for SSH / OpenVPN logins on AWS EC2 or any other debian/ubuntu based servers

This blog post is specifically for AWS EC2 but the same concepts can be used in any Ubuntu based environments.

This is part of my personal effort in enhancing the cyber-security of my own startup – ALight Technology And Services Limited and ALight Technologies USA Inc. I am using multi-cloud environment for additional security. I have workloads in Azure, AWS! Azure has more important workloads. I am trying to come up with a plan where if an attacker hacks one of the accounts, the critical workload in Azure should not be accessible. This is pretty much like creating multiple layers of security. In other words this is like multi-MFA accounts security with various multi-factor authentication methods.

At least during locked-down period, the multi-MFA accounts security level would enhance the security. During maintenance window this level of security wouldn’t be possible and I am planning some monitoring, alerts and automatic mitigations if abnormal activity gets detected during maintenance windows based on logs, metrics. And even automatic terminations for any higher abnormal activity. Almost like a self-developed, zero trust system, intrusion detection and prevention system.

Here are several related blog posts:

The spy-attackers-toes (I think extremist division of R&AW, spying organization of my own country, India) = terrorist odour can utmost do screenshots but cannot directly access the servers. This is one man’s effort against an army of anonymous spy-hackers. Shame on the bribery/extortion/ransom takers. sugarified word – taking – harsh reality = extortion/ransom, instead they could have opted to asking for help.

In AWS configure a SNS topic to send alerts to emails / SMS to phone. Add the emails and phone numbers, subscribe and validate the emails and phones.

Create a role for use with EC2 instances and give permission for publish to the SNS topic.

When launching the SNS use associate the IAM role with permission for publishing.

Install aws cli.

> sudo apt install awscli

Create a script for example / var/LoginAlert/LoginAlert.sh

#!/bin/bash
aws sns publish --topic-arn <ARN_OF_SNS_TOPIC> --message "User Logged In!" --region <AWS_REGION>
exit 0

Replace the ARN and Region with your own ARN and Region of the SNS topic.

Instead of “aws sns publish”, we can use any other executable such as writing some customcode and writing into some database for audit purposes, send alert via various other methods such as Slack etc… Or may be even a curl request to Slack.

https://api.slack.com/tutorials/tracks/posting-messages-with-curl

Give execute permissions on the script

sudo chmod +x /var/LoginAlert/LoginAlert.sh

Edit the file /etc/profile

sudo nano /etc/profile

Add the following code:

/var/LoginAlert/LoginAlert.sh

Now, reboot and re-login, you should have received an alert.

Now for OpenVPN, we can use the same script. Edit server.conf usually under /etc/openvpn or /etc/openvpn/server. Add the following lines:

client-connect "/var/LoginAlert/LoginAlert.sh"
script-security 2

Now, try connecting to your VPN instance, you should receive an alert.

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.