Get SSH Login Notification on Telegram

thumbnail for this post

Description

A simple shell script that executes automatically once a ssh user logs into a server with SSH. The script sends a telegram message to a user of your choice. It also has features to identify the user who has just logged in.

The script reports the following

  1. Date and time.
  2. Username used to gain ssh login.
  3. The IP address of the user trying to login.
  4. The AS code of the User trying to login.
  5. Physical address and the country of the user attempting login.
  6. SSH port the login was attempted on.

Operational security disclaimer

This script isn’t designed to gain logs of ‘anyone’ trying to gain authorized/unauthorized access to a machine with SSH. But it can be modified to do so. This script focus on notifying the owner of a machine if anyone has attempted successful login with SSH. THIS IS DETECTION, NOT PREVENTION.

img

Prerequisites

  • A telegram bot. Make one from the BotFather bot @BotFather More information here: https://core.telegram.org/bots
  • The recipient’s telegram ID. Use this bot @getmyid_bot
  • A SSH machine with sudo access.

get raw from here

Instructions

  • will look like http://t.me/your_bots_name. Also, copy the HTTP API: token generated by the BotFather.
  • Use @getmyid_bot bot to get your user ID. Should be in the form Your user ID: XXXXXXXXX Current chat ID: XXXXXXXXX
  • Clone the script on your target machine. Edit the sshd file located at
/etc/pam.d/sshd

and add the following line at the end of the file

session optional pam_exec.so /<path_to_yourscript.sh

or add this line to .bashrc (/root/.bashrc or ~/user/.bashrc)

bash /<path_to_Script.sh>

IMPORTANT

Setting the session to ‘optional’ will allow the user to login in case the script fails. (ex. Telegram servers are down) This prevents you from being locked out. But setting the session to ‘required’ will enforce the execution of this script as absolute.

  • Edit the telegram credentials you just got from the two bots. USERID and KEY.

  • Login and test!

comments powered by Disqus