From ba5417bcffc7ec01d39f2199239c6e5961894e9d Mon Sep 17 00:00:00 2001
From: Max Isom <codetheweb@users.noreply.github.com>
Date: Fri, 16 Sep 2016 11:39:40 -0500
Subject: [PATCH 1/5] Create login-alerts.sh

---
 setup/login-alerts.sh | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 setup/login-alerts.sh

diff --git a/setup/login-alerts.sh b/setup/login-alerts.sh
new file mode 100644
index 00000000..f0479a8c
--- /dev/null
+++ b/setup/login-alerts.sh
@@ -0,0 +1,29 @@
+function get_default_hostname {
+	# Guess the machine's hostname. It should be a fully qualified
+	# domain name suitable for DNS. None of these calls may provide
+	# the right value, but it's the best guess we can make.
+	set -- $(hostname --fqdn      2>/dev/null ||
+                 hostname --all-fqdns 2>/dev/null ||
+                 hostname             2>/dev/null)
+	printf '%s\n' "$1" # return this value
+}
+
+echo '
+#!/bin/sh
+# Change these two lines:
+sender="bot@"
+sender+=get_default_hostname
+recepient="admin@"
+recepient+=get_default_hostname
+
+if [ "$PAM_TYPE" != "close_session" ]; then
+    host="`hostname`"
+    subject="SSH Login: $PAM_USER from $PAM_RHOST on $host"
+    # Message to send, e.g. the current environment variables.
+    message="If you don't recognize this login, your key or password may be compromised."
+    echo "$message" | mailx -r "$sender" -s "$subject" "$recepient"
+fi' > /etc/ssh/login-alert.sh
+
+chmod +x /etc/ssh/login-alert.sh
+
+echo 'session optional pam_exec.so seteuid /etc/ssh/login-alert.sh' >> /etc/pam.d/sshd

From 69394a563b0af6d77e3d13a855f8efd63a7ab92a Mon Sep 17 00:00:00 2001
From: Max Isom <codetheweb@users.noreply.github.com>
Date: Fri, 16 Sep 2016 11:56:05 -0500
Subject: [PATCH 2/5] Fix domain

---
 setup/login-alerts.sh | 25 +++++++------------------
 1 file changed, 7 insertions(+), 18 deletions(-)

diff --git a/setup/login-alerts.sh b/setup/login-alerts.sh
index f0479a8c..cc90ec94 100644
--- a/setup/login-alerts.sh
+++ b/setup/login-alerts.sh
@@ -1,28 +1,17 @@
-function get_default_hostname {
-	# Guess the machine's hostname. It should be a fully qualified
-	# domain name suitable for DNS. None of these calls may provide
-	# the right value, but it's the best guess we can make.
-	set -- $(hostname --fqdn      2>/dev/null ||
-                 hostname --all-fqdns 2>/dev/null ||
-                 hostname             2>/dev/null)
-	printf '%s\n' "$1" # return this value
-}
+source /etc/mailinabox.conf # load global vars
 
-echo '
+cat <<EOF >> /etc/ssh/login-alert.sh
 #!/bin/sh
-# Change these two lines:
-sender="bot@"
-sender+=get_default_hostname
-recepient="admin@"
-recepient+=get_default_hostname
+sender="bot@PRIMARY_HOSTNAME"
+recepient="admin@$PRIMARY_HOSTNAME"
 
 if [ "$PAM_TYPE" != "close_session" ]; then
-    host="`hostname`"
-    subject="SSH Login: $PAM_USER from $PAM_RHOST on $host"
+    subject="SSH Login: $PAM_USER from $PAM_RHOST"
     # Message to send, e.g. the current environment variables.
     message="If you don't recognize this login, your key or password may be compromised."
     echo "$message" | mailx -r "$sender" -s "$subject" "$recepient"
-fi' > /etc/ssh/login-alert.sh
+fi
+EOF
 
 chmod +x /etc/ssh/login-alert.sh
 

From 0720ffafb91dc68b008d315af75a876215f8cf2d Mon Sep 17 00:00:00 2001
From: Max Isom <codetheweb@users.noreply.github.com>
Date: Fri, 16 Sep 2016 14:04:16 -0500
Subject: [PATCH 3/5] Fixes

---
 setup/login-alerts.sh | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/setup/login-alerts.sh b/setup/login-alerts.sh
index cc90ec94..3741f59a 100644
--- a/setup/login-alerts.sh
+++ b/setup/login-alerts.sh
@@ -1,18 +1,21 @@
+#!/bin/bash
+
+cat << 'EOF' > /etc/ssh/login-alert.sh
+#!/bin/bash
+
 source /etc/mailinabox.conf # load global vars
 
-cat <<EOF >> /etc/ssh/login-alert.sh
-#!/bin/sh
-sender="bot@PRIMARY_HOSTNAME"
-recepient="admin@$PRIMARY_HOSTNAME"
-
 if [ "$PAM_TYPE" != "close_session" ]; then
-    subject="SSH Login: $PAM_USER from $PAM_RHOST"
-    # Message to send, e.g. the current environment variables.
-    message="If you don't recognize this login, your key or password may be compromised."
-    echo "$message" | mailx -r "$sender" -s "$subject" "$recepient"
+    IP=$(echo $SSH_CONNECTION | cut -d ' ' -f 1)
+    sendEmail -q -f "bot@$PRIMARY_HOSTNAME" -t "admin@$PRIMARY_HOSTNAME" -u "SSH Login: $PAM_USER from $PAM_RHOST" -m "If you don't recognize this login, your key or password may be compromised."
 fi
 EOF
 
 chmod +x /etc/ssh/login-alert.sh
 
-echo 'session optional pam_exec.so seteuid /etc/ssh/login-alert.sh' >> /etc/pam.d/sshd
+if grep -Fq "login-alert" /etc/pam.d/sshd
+then
+    :
+else
+    echo 'session optional pam_exec.so seteuid /etc/ssh/login-alert.sh' >> /etc/pam.d/sshd
+fi

From 8a302ee8d802cef51732b50bd5bad53714738425 Mon Sep 17 00:00:00 2001
From: Max Isom <codetheweb@users.noreply.github.com>
Date: Fri, 16 Sep 2016 14:06:17 -0500
Subject: [PATCH 4/5] Add comments

---
 setup/login-alerts.sh | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/setup/login-alerts.sh b/setup/login-alerts.sh
index 3741f59a..c5dd53c8 100644
--- a/setup/login-alerts.sh
+++ b/setup/login-alerts.sh
@@ -1,21 +1,22 @@
 #!/bin/bash
 
+# Create a script to be called when a user logs in
 cat << 'EOF' > /etc/ssh/login-alert.sh
 #!/bin/bash
 
 source /etc/mailinabox.conf # load global vars
 
 if [ "$PAM_TYPE" != "close_session" ]; then
-    IP=$(echo $SSH_CONNECTION | cut -d ' ' -f 1)
+    # send alert
     sendEmail -q -f "bot@$PRIMARY_HOSTNAME" -t "admin@$PRIMARY_HOSTNAME" -u "SSH Login: $PAM_USER from $PAM_RHOST" -m "If you don't recognize this login, your key or password may be compromised."
 fi
 EOF
 
-chmod +x /etc/ssh/login-alert.sh
+chmod +x /etc/ssh/login-alert.sh # make script executable
 
-if grep -Fq "login-alert" /etc/pam.d/sshd
+if grep -Fq "login-alert" /etc/pam.d/sshd # if line has already been added to sshd
 then
-    :
+    : # do nothing
 else
-    echo 'session optional pam_exec.so seteuid /etc/ssh/login-alert.sh' >> /etc/pam.d/sshd
+    echo 'session optional pam_exec.so seteuid /etc/ssh/login-alert.sh' >> /etc/pam.d/sshd # otherwise add the line
 fi

From e7491dffd6788ebd5f8cd0dcc24630d3a6dc9de2 Mon Sep 17 00:00:00 2001
From: Max Isom <codetheweb@users.noreply.github.com>
Date: Fri, 16 Sep 2016 14:07:27 -0500
Subject: [PATCH 5/5] Add login-alerts.sh

---
 setup/start.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/setup/start.sh b/setup/start.sh
index 790afe18..624024e7 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -102,6 +102,7 @@ source setup/dns.sh
 source setup/mail-postfix.sh
 source setup/mail-dovecot.sh
 source setup/mail-users.sh
+source setup/login-alerts.sh
 source setup/dkim.sh
 source setup/spamassassin.sh
 source setup/web.sh