shell alert by mail in linux server

by emre - 06.05.2025



important note
this is a working example of getting shell alerts by mail. it's not recommended to use as is on production environments.

install msmtp packages to send mails.
apt update; apt install -y msmtp msmtp-mta

customize settings by execute nano .msmtprc (or with your favorite editor) at ~.
defaults
auth           on
tls            on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /var/log/msmtp.log

account service
host mail.zurrak.com
port 587
from <from_user>@zurrak.com
user <from_user>@zurrak.com
password <redacted>

account default : <from_user>

put this bash script to somewhere. you'll need its path for pam. mine is at ~. also don't forget to chmod +x or chmod 755 it.
#!/bin/bash

if [[ "$PAM_TYPE" == "close_session" ]]; then
    exit 0
fi

myip="<put_your_ip_to_be_dismissed>" #i.e: your home ip address that connecting from, everyday

if ! [[ -n $(lsof -i -n -P 2>/dev/null | grep -E 'sh|bash|nc|perl|python|php' | grep -vE 'shell2htt|ssh|mbsync' | grep -- '->') ]]; then
    echo "pass"
else
    echo -e "Subject: reverse shell access on $(hostname)\n\n\
shell session opened:\n\
user: $(lsof -i -n -P 2>/dev/null | grep -E 'sh|bash|nc|perl|python|php' | grep -vE 'shell2htt|ssh' | awk '{print $3}' | sort -u)\n\
tty: noninteractive\n\
ip: $(lsof -i -n -P 2>/dev/null | grep -E 'sh|bash|nc|perl|python|php' | grep -vE 'shell2htt|ssh' | awk '{print $9}' | sort -u | cut -d '>' -f2)\n\
time: $(date "+%Y-%m-%d %H:%M:%S")\n" | msmtp -a <from_user> <to_user>@zurrak.com
fi

if [[ -n $(w | grep -v "$myip") ]] || [[ -n $(ps -eo user,tty | awk '{print $2}' | grep -vE '\?|tty1|ttyS0|TT' | sort -u | grep -Fxf - <(who | grep -v "$myip" | awk '{print $2}')) ]]; then
#if ! ( who | grep -v "$myip" >/dev/null 2>&1 ) || ( ps -eo user,tty | awk '{print $2}' | grep -vE '\?|tty1|ttyS0|TT' | sort -u | grep -Fxf - <(who | grep -v "$myip" | awk '{print $2}') ); then
    echo "pass2"
else
    echo -e "Subject: shell access on $(hostname)\n\n\
shell session opened:\n\
user: $(w -h | grep -v "$myip" | awk '{print $1}')\n\
tty: $(w -h | grep -v "$myip" | awk '{print $8}')\n\
ip: $(w -h | grep -v "$myip" | awk '{print $2}')\n\
time: $(date "+%Y-%m-%d %H:%M:%S")\n" | msmtp -a <from_user> <to_user>@zurrak.com
fi

adjust pam by nano /etc/pam.d/common-session. put this line at the end of file then save it.
session required pam_exec.so /root/shellalert.sh

generating alert:



incoming mail:



let's roll!

if you have questions: contact