This is a modification of a bash script originally authored by me but altered to work with slack by a fellow redditor at /r/netsec going by u/FunDeckHermit. Now I am not a slack user for ideological reasons, but I understand some may be. So this is for them!

Operational security disclaimer:

This script isn’t designed to gain logs of ‘anyone’ trying to gain authorized/unauthorized access to a machine with SSH. But it can be modified to do so. This script focus on notifying the owner of a machine if anyone has attempted successful login with SSH. THIS IS DETECTION, NOT PREVENTION.

#!/bin/bash
CHANNEL="<YOUR CHANNEL>"
HEADER1="Content-type:application/json;charset=UTF-8;"
HEADER2="Authorization:Bearer <YOUR_API_CODE>"
TIMEOUT="10"
URL="https://slack.com/api/chat.postMessage"
DATE_EXEC="$(date "+%d %b %Y %H:%M")" #Collect date & time.
TMPFILE='/tmp/ipinfo-$DATE_EXEC.txt' #Create a temporary file to keep data in.
if [ -n "$SSH_CLIENT" ] && [ -z "$TMUX" ]; then #Trigger
IP=$(echo $SSH_CLIENT | awk '{print $1}') #Get Client IP address.
PORT=$(echo $SSH_CLIENT | awk '{print $3}') #Get SSH port
HOSTNAME=$(hostname -f) #Get hostname
IPADDR=$(hostname -I | awk '{print $1}') 
curl https://ipinfo.io/$IP -s -o $TMPFILE #Get info on client IP.
CITY=$(cat $TMPFILE | sed -n 's/^  "city":[[:space:]]*//p' | sed 's/"//g') #Client IP info parsing
REGION=$(cat $TMPFILE | sed -n 's/^  "region":[[:space:]]*//p' | sed 's/"//g')
COUNTRY=$(cat $TMPFILE | sed -n 's/^  "country":[[:space:]]*//p' | sed 's/"//g')
ORG=$(cat $TMPFILE | sed -n 's/^  "org":[[:space:]]*//p' | sed 's/"//g')
TEXT="$DATE_EXEC: ${USER} logged in to $HOSTNAME ($IPADDR) from $IP - $ORG - $CITY, $REGION, $COUNTRY port $PORT"
curl -s -i -X POST -H $HEADER1 -H "$HEADER2" -d '{"channel":"'"$CHANNEL"'", "text": "'"$TEXT"'"}' $URL >/dev/null
rm $TMPFILE #clean up after
fi

Raw script: https://gitlab.com/snippets/1872604/raw

Instructions:

#As mentioned I am not a slack user, so I cannot get in depth or help troubleshoot. You are on your own. 1. Clone the script on your target machine. Edit the sshd file located at

/etc/pam.d/sshd

and add the following line at the end of the file

session optional pam_exec.so /<path_to_yourscript.sh>

IMPORTANT

Setting the session to ‘optional’ will allow the user to login in case the script fails. (ex. Telegram servers are down) This prevents you from being locked out. But setting the session to ‘required’ will enforce the execution of this script as absolute. 2. Enter the required slack credentials in the script.

  1. Login and test!