If you don’t have this setup already you should! This is a great method to ensure you’re notified each time the root user connects to your server via SSH.
Edit the .bash_profile file of the user whose account you wish to monitor – typically: /root/.bash_profile
echo ‘ALERT – Root Shell Access on:’ `hostname` `date` `who` | mail -s “Alert: Root Access on `hostname`” email@example.com
You will then receive an email each time the selected user logs into the system via SSH. The email will provide you with their full connection string and IP so you can keep a close eye on who’s accessing a particular server with root privileges.