Skip to main content
  1. Posts/

Supercharging Your SSH Experience: Unleashing the Power of Slack for Monitoring!

· loading · loading ·
Jared Lynskey
Author
Jared Lynskey
Emerging leader and software engineer based in Seoul, South Korea
Table of Contents

Purpose
#

  • SSH allows commands to be executed when somebody attempts to login. The following document will show you how to connect to Slack and control ssh order of execution

Webhook on Slack API
#

  • Visit here to learn about creating an app.

  • You will need to create a slack app, enable webhooks and create an incoming webhook for slack to receive notifications from SSH.

Creating the script for a failed attempt
#

-The following file can be saved anywhere on your system, I placed my file in /var/opt/notify-attempt.sh

#!/bin/bash
if [ "$PAM_TYPE" != "close_session" ]; then
        url="<YOUR SLACK WEBHOOK>"
        channel="#channel"
        host="$(hostname)"
        content="\"attachments\": [ { \"mrkdwn_in\": [\"text\", \"fallback\"], \"fallback\": \"SSH login: $PAM_USER connected to \`$host\`\", \"text\": \"SSH login to \`$host\`\", \"fields\": [ { \"title\": \"User\", \"value\": \"$PAM_USER\", \"short\": true }, { \"title\": \"IP Address\", \"value\": \"$PAM_RHOST\", \"short\": true } ], \"color\": \"#F35A00\" } ]"
        curl -X POST --data-urlencode "payload={\"channel\": \"$channel\", \"mrkdwn\": true, \"username\": \"SSH Notifications\", $content, \"icon_emoji\": \":inbox-tray:\"}" "$url" &
fi
exit

For other SSH events
#

  • For other events such as successful login, I recommend creating two files.
  • Each file will contain the correct JSON content that will be sent to Slack.
  • You will need to edit the line fallback\": \"SSH login: $PAM_USER connected to \$host`"`
  • You will see below where Openssh uses these scripts

Configuring ssh
#

I have commented out the successful attempt notification, you may uncomment it and execute the script to notify slack. This line:# auth optional pam_exec.so /var/opt/notify-login.sh

[success=2] means if the ssh login attempt is successful, it will jump two lines, hence skipping the failed attempt notification.

file: /etc/pam.d/common-auth

# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth  [success=2 default=ignore]   pam_unix.so nullok
auth  optional            pam_exec.so /var/opt/notify-attempt.sh
# here's the fallback if no module succeeds
auth  requisite            pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# For successful login, uncomment the below line, ensure the file exists.
# auth  optional            pam_exec.so /var/opt/notify-login.sh
# auth  required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth  optional            pam_cap.so
# end of pam-auth-update config

Thank you!
#

  • If you have any questions or comments please contact me directly