Skip to main content

Send telegram message on every ssh login

Add script

Create file /etc/login-notify.sh, modify TELEGRAM_BOT_TOKEN and TELEGRAN_SEND_TOTELEGRAM_SEND_TO veriables

#!/bin/sh

if [ "$PAM_TYPE" != "close_session" ]; then
    SSH_KEY=$(grep "Accepted publickey" /var/log/auth.log | tail -n 1 | awk '{print $NF}')
    WHERE_KEY=$(grep "found at" /var/log/auth.log | tail -n 1 | awk '{print $NF}')

    KEYS_PATH=$(echo "$WHERE_KEY" | cut -d ':' -f 1)
    KEYS_LINE=$(echo "$WHERE_KEY" | cut -d ':' -f 2)
    KEY_LINE=$(sed -n "${KEYS_LINE}p" "$KEYS_PATH")
    KEY_NAME=$(echo "$KEY_LINE" | cut -d ' ' -f 3)

    TELEGRAM_BOT_TOKEN=123456789:someLETTERS
    TELEGRAM_SEND_TO=123456789
    MESSAGE="Server: ${PAM_USER}@`hostname`%0ALogin: ${PAM_RHOST} ${KEY_NAME}"
    curl -s -X POST https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage -d chat_id=${TELEGRAM_SEND_TO} -d text="$MESSAGE" > /dev/null
fi

Modify to make it executable

chmod +x /etc/login-notify.sh

Add script to execute for every login

Do it by modifying file /etc/pam.d/sshd, just add line to end of file by echo:

echo 'session optional pam_exec.so seteuid /etc/login-notify.sh' >> /etc/pam.d/sshd

Increase a log level

Script search for fingerprint, but doesn't know witch authorized_keys file used for auth. For get authorized_keys file location, we need to print location to /var/log/auth.log

Increase log level and restart ssh:

echo 'LogLevel VERBOSE' >> /etc/ssh/sshd_config
sudo systemctl restart ssh
Back to top