In order to send a notification about successful login to the server via SSH, you need to track the moment of such login. Let's use the built-in Linux tools, namely, the global profile settings, which are located in the /etc/profile folder. This profile (and in fact, these are the initial user settings) will be applied to all users who are logged into the system and for which the command shell is running. The global profile settings are very flexible, but we are interested in the default launch of all bash files (*.sh) from the /etc/profile.d folder. Let's create a simple bash script in this folder, the role of which is to run a python script, and already this python script will fetch data over an ssh connection, generate an information line and send it to the telegram channel of the server administrator.
Let's get started.
1. If you still do not have your own telegram bot, create it, as well as a channel in which messages will be received. To do this, use paragraphs 1-2 of the Instructions. As an administrator of a telegram channel, you can also add other members to it to jointly monitor SSH connections to servers.
2. In the /usr/bin/ folder, create a python script file. To do this, run the command
vim /usr/bin/ssh_notification.py
and place the script code
#----------settings---------
# dont send message to telegram if IP includes in whitelist IP, for example, admin IP.
# send notification for all IPs: wlip = []
wlip = ['123.123.45.67','98.76.54.32']
# users to track. For all users to track: userstrack = []
usertrack = ['root','admin']
#-------------------------------------
import os
import datetime
import requests
import socket
def SendMsgToTelegramChanel_z(msg):
token="TOKEN"
chat_id = 'CHAT_ID'
params = {'chat_id': chat_id,'text': msg}
response = requests.get('https://api.telegram.org/bot'+token+'/sendMessage', params=params)localip = socket.gethostbyname(socket.gethostname())
ip = os.popen("echo $SSH_CLIENT | awk -F' ' '{print $1}'").read().strip()
login = os.popen("whoami").read().strip()
dtime = datetime.datetime.now().strftime("%d-%m-%Y %H:%M:%S")if (ip not in wlip or not wlip) and (login in userstrack or not userstrack):
SendMsgToTelegramChanel_z('SSH connect to ' + localip + '\nUser: ' + login + '\nFrom: ' + ip + '\n' + dtime)
There are 2 optional settings at the top of the script:
- The wlip variable contains a whitelist list of IPs from which a notification will not be sent when connecting to the server. This can be one or more server administrator IPs. If you want to send a login message to the server regardless of IP, set the variable value to [] (just clear everything inside the square brackets)
wlip = []
- In the "userstrack" variable, you can specify one or more logins that you want to track. To send notifications regardless of the username, clear everything inside the brackets:
usertrack = []
- Also replace TOKEN and CHAT_ID with the corresponding values obtained when creating the telegram bot and channel.
3. In the /etc/profile.d/ folder, create a simple bash script that will run the previously created python script. To do this, run the command
vim /etc/profile.d/ssh_notification.sh
and place the script code:
#!/bin/bash
python3 /usr/bin/ssh_notification.py
Monitoring of SSH connections to the server with notifications sent to Telegram is configured.
As a result, you will be able to receive the following notifications: