This is a simple slackbot to post successful SSH logins to a slack channel to help you keep track of server access.
Create an incoming webhook for your slack community.
Create /etc/ssh/sshslack.sh
Copy sshslack.sh code and replace URL with webhook URL.
Add the following line to /etc/pam.d/sshd:
session optional pam_exec.so seteuid /etc/ssh/sshslack.sh
Profit!?
| #!/bin/sh | |
| url="webhook_url_from_slack" | |
| channel="#ssh-alerts" | |
| if [ "$PAM_TYPE" != "close_session" ]; then | |
| host=$(curl icanhazptr.com) | |
| content="\"attachments\": [ { \"mrkdwn_in\": [\"text\",],\"text\": \"Someone Logged Into \`$host\`\", \"fields\": [ { \"title\": \"User\", \"value\": \"$PAM_USER\", \"short\": true }, { \"title\": \"IP Address:\", \"value\": \"<https://ipinfo.io/$PAM_RHOST | $PAM_RHOST>\", \"short\": true } ], \"color\": \"#F35A00\" } ]" | |
| curl -X POST --data-urlencode "payload={\"channel\": \"$channel\", \"mrkdwn\": true, \"username\": \"ssh-bot\", $content, \"icon_url\": \"http://www.dmuth.org/files/ssh.png\"}" $url | |
| fi |
@sasqwatch; is your /etc/ssh/sshslack.sh executable (chmod +x) ?
and thanks @jgamblin for sharing!
Here is for telegram it work but im not sure my way is good or not ..
#!/bin/sh
chat_id=""
token=""
###############
host=$(hostname)
Message="Someone+Logged+Into+Host+:+$host+with+Username+:+$PAM_USER+From+IP+Address:+$PAM_RHOST"
url="https://api.telegram.org/bot$token/sendMessage?chat_id=$chat_id&text=$Message"
if [ "$PAM_TYPE" != "close_session" ]; then
curl -s -X POST $url
fi
I gets a failed: exit code 13. How does one fix this?