跳过正文
杰瑞德·林斯基
  1. 文章/

增强您的SSH体验:释放Slack监控的强大功能!

· loading · loading ·
杰瑞德·林斯基
作者
杰瑞德·林斯基
居住在韩国首尔的新兴领导者和软件工程师
目录

目的
#

  • SSH允许在有人尝试登录时执行命令。以下文档将向您展示如何连接到Slack并控制SSH的执行顺序。

Slack API上的Webhook
#

  • 访问这里了解如何创建应用。

  • 您需要创建一个Slack应用,启用Webhook,并创建一个传入Webhook以便从SSH接收通知。

为失败的尝试创建脚本
#

  • 以下文件可以保存在系统的任何位置,我将文件放在了/var/opt/notify-attempt.sh中。
#!/bin/bash
if [ "$PAM_TYPE" != "close_session" ]; then
        url="<YOUR SLACK WEBHOOK>"
        channel="#channel"
        host="$(hostname)"
        content="\"attachments\": [ { \"mrkdwn_in\": [\"text\", \"fallback\"], \"fallback\": \"SSH login: $PAM_USER connected to \`$host\`\", \"text\": \"SSH login to \`$host\`\", \"fields\": [ { \"title\": \"User\", \"value\": \"$PAM_USER\", \"short\": true }, { \"title\": \"IP Address\", \"value\": \"$PAM_RHOST\", \"short\": true } ], \"color\": \"#F35A00\" } ]"
        curl -X POST --data-urlencode "payload={\"channel\": \"$channel\", \"mrkdwn\": true, \"username\": \"SSH Notifications\", $content, \"icon_emoji\": \":inbox-tray:\"}" "$url" &
fi
exit

对于其他SSH事件
#

  • 对于其他事件(如成功登录),我建议创建两个文件。
  • 每个文件将包含将发送到Slack的正确JSON内容。
  • 您需要编辑fallback\": \"SSH login: $PAM_USER connected to \$host`"`这一行。
  • 您将在下面看到Openssh如何使用这些脚本。

配置ssh
#

我已经注释掉了成功尝试的通知,您可以取消注释并执行脚本以通知Slack。 这一行:# auth optional pam_exec.so /var/opt/notify-login.sh

[success=2]表示如果ssh登录尝试成功,它将跳过两行,从而跳过失败尝试的通知。

文件:/etc/pam.d/common-auth

# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth  [success=2 default=ignore]   pam_unix.so nullok
auth  optional            pam_exec.so /var/opt/notify-attempt.sh
# here's the fallback if no module succeeds
auth  requisite            pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# For successful login, uncomment the below line, ensure the file exists.
# auth  optional            pam_exec.so /var/opt/notify-login.sh
# auth  required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth  optional            pam_cap.so
# end of pam-auth-update config

谢谢!
#

  • 如有任何问题或意见,请直接联系我