Root Breach Email Notification
If someone gains root access to your server, you should be warned immediately. This guide shows how to set up an email alert every time someone logs in as root. This will provide you with the attacker’s IP and alert you that your system may have been compromised.
🔒 Goal
Receive an email alert whenever someone logs into the server as root.
🛠 Steps
1. Login as Root
SSH into your server and log in as the root user.
ssh root@your-server-ip
2. Edit Root’s Bash Profile
Open the .bash_profile for editing:
nano ~/.bash_profile
3. Add Email Alert Command
Scroll to the bottom and add the following line:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access at `hostname`" [email protected]
🔁 Replace
[email protected]with your actual email address.
4. Save and Exit
- Press
CTRL + Xto exit - Press
Yto confirm saving - Press
Enterto write changes
✅ Requirements
mailcommand must be available. On most systems, you can install it via:
yum install mailx -y # for CentOS/AlmaLinux/CloudLinux
apt install mailutils -y # for Debian/Ubuntu
- An MTA (Mail Transfer Agent) like Postfix or Exim must be configured to send emails.
📌 Notes
- This only alerts for interactive logins via SSH.
- For extra protection, consider using:
- root login disabled via SSH (
PermitRootLogin noin/etc/ssh/sshd_config) - key-based login instead of password authentication
- two-factor authentication (2FA) for SSH
- logwatch, logcheck, or OSSEC for broader intrusion detection
- root login disabled via SSH (
Here’s the updated guide with Imunify360 integration for detecting and alerting on suspicious activity, including malware uploads, web shell access, and excessive login attempts — fully tailored for cPanel + CloudLinux + Imunify360 setups.
🔐 Root Breach & Suspicious Activity Alerts with CSF + Imunify360 (2025)
This comprehensive guide helps detect root logins, brute force attacks, and suspicious activity using:
- ✅ Bash email alerts for root login
- ✅ CSF for brute force and su login alerts
- ✅ Imunify360 for malware/webshell/dos detection
🚨 Part 5: Imunify360 Integration for Suspicious Activity Alerts
✅ Requirements
- Imunify360 installed and licensed on your server.
- Email address configured to receive system alerts.
- Mail sending via Postfix or Exim (usually configured with cPanel).
🔍 Step 1: Enable Real-Time Malware Scanning
Imunify360 monitors file changes and scans for web-based malware (e.g., PHP shells). Ensure real-time scanning is enabled:
imunify360-agent config show | grep MALWARE_SCANNING
To enable real-time scanning:
imunify360-agent config update '{"MALWARE_SCANNING": {"real_time_scan": true}}'
🛡 Step 2: Enable Enhanced DOS Protection
Blocks abusive traffic (especially on ports like 80, 443).
imunify360-agent config update '{"ENHANCED_DOS": {"enabled": true}}'
(Optional) Customize rate limits and timeframe:
imunify360-agent config update '{"ENHANCED_DOS": {"timeframe": 60, "default_limit": 500}}'
imunify360-agent config update '{"ENHANCED_DOS": {"port_limits": {"80": 150, "443": 150}}}'
📧 Step 3: Enable Email Notifications for Detected Threats
Edit Imunify360 config or run this command:
imunify360-agent config update '{"NOTIFICATIONS": {"email": ["[email protected]"]}}'
Enable specific alerts:
imunify360-agent config update '{"NOTIFICATIONS": {
"MALWARE_SCAN": true,
"MALWARE_CLEANUP": true,
"LOGIN_DETECTION": true,
"INJECTION_DETECTION": true
}}'
🧪 Step 4: Trigger a Manual Malware Scan (optional)
imunify360-agent malware scan full
Check scan results:
imunify360-agent malware malicious list
🔁 Step 5: Monitor Suspicious File Uploads
Webshell or infected file uploads will be logged and alerted via:
/var/log/imunify360/console.log
To watch in real-time:
tail -f /var/log/imunify360/console.log
⚙️ Step 6: Block Abusive IPs Detected by Imunify360
View blocked IPs:
imunify360-agent graylist ip list
imunify360-agent blacklist ip list
Manually block:
imunify360-agent blacklist ip add 1.2.3.4
✅ Combine With cPanel Contact Manager
Set your server contact email address in WHM:
WHM » Contact Manager
WHM » Basic WebHost Manager Setup » Contact Information
Also ensure “Security Advisor” alerts and “Root Access” notifications are enabled.
🧠 Summary
| Method | Detects | Alert Type |
|---|---|---|
.bash_profile | Direct root logins | |
| CSF/LFD | SSH brute force, root/su, failed logins | |
| Imunify360 | Malware, webshells, brute/DOS attempts | Email + logs |