Description:

A simple shell script that executes automatically once a ssh user logs into a server with SSH. The script sends a telegram message to a user of your choice. It also has features to identify the user who has just logged in.

The script reports the following:

  1. Date and time.
  2. Username used to gain ssh login.
  3. The IP address of the user trying to login.
  4. The AS code of the User trying to login.
  5. Physical address and the country of the user attempting login.
  6. SSH port the login was attempted on.

Operational security disclaimer:

This script isn’t designed to gain logs of ‘anyone’ trying to gain authorized/unauthorized access to a machine with SSH. But it can be modified to do so. This script focus on notifying the owner of a machine if anyone has attempted successful login with SSH. THIS IS DETECTION, NOT PREVENTION.

Prerequisites:

  • A telegram bot. Make one from the BotFather bot @BotFather More information here: https://core.telegram.org/bots
  • The recipient’s telegram ID. Use this bot @getmyid_bot
  • A SSH machine with sudo access.

Original Script #!/bin/bash

USERID="<Enter_the_user_id_of_the_recipient>" 
KEY="<The_key_of_your_telegram_bot>" 
TIMEOUT="10"
URL="https://api.telegram.org/bot$KEY/sendMessage"
DATE_EXEC="$(date "+%d %b %Y %H:%M")" #Collect date & time.
TMPFILE='/tmp/ipinfo-$DATE_EXEC.txt' #Create a temporary file to keep data in.
if [ -n "$SSH_CLIENT" ] && [ -z "$TMUX" ]; then #Trigger
IP=$(echo $SSH_CLIENT | awk '{print $1}') #Get Client IP address.
PORT=$(echo $SSH_CLIENT | awk '{print $3}') #Get SSH port
HOSTNAME=$(hostname -f) #Get hostname
IPADDR=$(hostname -I | awk '{print $1}') 
curl https://ipinfo.io/$IP -s -o $TMPFILE #Get info on client IP.
CITY=$(cat $TMPFILE | sed -n 's/^  "city":[[:space:]]*//p' | sed 's/"//g') #Client IP info parsing
REGION=$(cat $TMPFILE | sed -n 's/^  "region":[[:space:]]*//p' | sed 's/"//g')
COUNTRY=$(cat $TMPFILE | sed -n 's/^  "country":[[:space:]]*//p' | sed 's/"//g')
ORG=$(cat $TMPFILE | sed -n 's/^  "org":[[:space:]]*//p' | sed 's/"//g')
TEXT="$DATE_EXEC: ${USER} logged in to $HOSTNAME ($IPADDR) from $IP - $ORG - $CITY, $REGION, $COUNTRY port $PORT"
curl -s --max-time $TIMEOUT -d "chat_id=$USERID&disable_web_page_preview=1&text=$TEXT" $URL > /dev/null
rm $TMPFILE #clean up after
fi

Raw script: https://gitlab.com/snippets/1871482/raw

Updated script from community member https://gitlab.com/CDuv

This script doesn’t use temp file ‘/tmp/ipinfo-$DATE_EXEC.txt’ and fixes some conditions one may want to avoid for security reasons. Explained here: https://gitlab.com/snippets/1871482#note_188602535

#!/bin/bash
USERID="<Enter_the_user_id_of_the_recipient>" 
KEY="<The_key_of_your_telegram_bot>" 
TIMEOUT="10"
URL="https://api.telegram.org/bot$KEY/sendMessage"
DATE_EXEC="$(date "+%d %b %Y %H:%M")" #Collect date & time.
TMPFILE="$(mktemp)" #Create a temporary file to keep data in. # True temporary file
if [ -n "$SSH_CLIENT" ] && [ -z "$TMUX" ]; then #Trigger
IP=$(echo $SSH_CLIENT | awk '{print $1}') #Get Client IP address.
PORT=$(echo $SSH_CLIENT | awk '{print $3}') #Get SSH port
HOSTNAME=$(hostname -f) #Get hostname
IPADDR=$(hostname -I | awk '{print $1}')
curl https://ipinfo.io/$IP -s -o $TMPFILE #Get info on client IP.
IP_INFOS="$(curl https://ipinfo.io/$IP -s -o $TMPFILE | jq -r '.org + " - " + .city + ", " + .region + ", " + .country')" #Client IP info parsing via jq
TEXT="$DATE_EXEC: ${USER} logged in to $HOSTNAME ($IPADDR) from $IP - ${IP_INFOS} port $PORT"
curl -s --max-time $TIMEOUT -d "chat_id=$USERID&disable_web_page_preview=1&text=$TEXT" $URL > /dev/null
rm $TMPFILE #clean up after
fi

Instructions:

  1. Create a telegram bot from the BotFather and start a chat with it. The url of your newly created bot will look like http://t.me/your_bots_name. Also, copy the HTTP API: token generated by the BotFather.

  2. Use @getmyid_bot bot to get your user ID. Should be in the form Your user ID: XXXXXXXXX Current chat ID: XXXXXXXXX

  3. Clone the script on your target machine. Edit the sshd file located at

    /etc/pam.d/sshd
    

    and add the following line at the end of the file

    session optional pam_exec.so /<path_to_yourscript.sh>
    

    IMPORTANT

    Setting the session to ‘optional’ will allow the user to login in case the script fails. (ex. Telegram servers are down) This prevents you from being locked out. But setting the session to ‘required’ will enforce the execution of this script as absolute.

  4. Edit the telegram credentials you just got from the two bots. USERID and KEY.

  5. Login and test!