Config Server Firewall may report SSH logins to a server via email to server administrator

Email subject: "SSH login alert for user USERNAMEHERE from IPHERE" and in the content is "Method: keyboard-interactive/pam authentication"

so what to do? best to check SSH/authentication logs which are located usually in /var/log/secure

(tail -n 50 /var/log/secure)

One may see something like:

Code:
Mar 10 10:43:28 hostname sshd[1633]: pam_unix(sshd:session): session closed for user bfzagjtm
Mar 10 10:43:53 hostname sshd[6789]: Accepted keyboard-interactive/pam for USERNAME from IPHERE port 50383 ssh2
Mar 10 10:43:53 hostname sshd[6789]: pam_unix(sshd:session): session opened for user USERNAME by (uid=0)
Mar 10 10:43:53 hostname sshd[6822]: subsystem request for sftp
Mar 10 10:44:55 hostname sshd[6789]: pam_unix(sshd:session): session closed for user bfzagjtm
Mar 10 10:46:00 hostname sshd[8189]: Accepted keyboard-interactive/pam for USERNAME from IPHERE port 46570 ssh2
Mar 10 10:46:00 hostname sshd[8189]: pam_unix(sshd:session): session opened for user USERNAME by (uid=0)
Mar 10 10:46:01 hostname sshd[8210]: subsystem request for sftp
Mar 10 10:47:03 hostname sshd[8189]: pam_unix(sshd:session): session closed for user bfzagjtm

Check rights for that user, rights are maybe in /etc/passwd

(cat /etc/passwd | grep USERNAME)

One may see something like:

Code:
USERNAME:x:849:858::/home/USERNAME:/usr/local/cpanel/bin/noshell
someone said that noshell allows user to login but dont allow doing anything, log out him and that one can change it to "nologin"

(usermod -s /sbin/nologin bfzagjtm)

than result of (cat /etc/passwd | grep USERNAME) would be:

Code:
USERNAME:x:849:858::/home/USERNAME:/sbin/nologin