✅A simple script for notification SSH access, exits and entries to the Server✅
Telegram Notifications on SSH Logins
Search for the user "botfather". https://t.me/BotFather We create a new bot by sending "botfather" the following message: /newbot "botfather" will ask for the name of the bot.
Now, search for the newly created bot in your Telegram contacts. Next, start the bot by clicking on start or sending the message:
/start.
Next, open Postman or your Browser to the address shown below. Replace "TOKEN" with the token you got from "botfather" in the previous step:
https://api.telegram.org/bot"TOKEN"/getUpdates
Write down the row of numbers coming after "id". This is our "Telegram_id" and will be needed in the next step.
sudo mkdir /etc/pam.scripts
Save this script in or other place /etc/pam.scripts/login-notification.sh
#!/bin/bash
# FILE /usr/local/bin/telegram-alert.sh
#################
# CONFIGURAÇÃO
#################
USERID="SEU_ID"
KEY="SUA_CHAVE_API"
URL="https://api.telegram.org/bot${KEY}/sendMessage"
# IPs Conhecidos abaixo uma whitlist (espaçados por vírgula para regex ou use espaço e valide com loop)
KNOWN_IPs="192.0.0.0 192.168.0.136 192.168.0.129"
LOG_FILE="/var/log/telegram_ssh.log"
SRV_HOSTNAME=$(hostname)
# Só dispara o alerta no tipo "open_session"
if [ "$PAM_TYPE" != "open_session" ]; then
exit 0
fi
# Validação de IP conhecido
for ip in $KNOWN_IPs; do
if [ "$PAM_RHOST" == "$ip" ]; then
echo "$(date): Acesso ignorado para IP conhecido $PAM_RHOST" >> $LOG_FILE
exit 0
fi
done
#######################
# COLETA DE DADOS
#######################
DATE=$(date "+%d/%m/%Y %H:%M:%S")
IP_EXTERNO=$(curl -s https://ifconfig.me) # Opcional: IP público do servidor
# Detalhes do IP do atacante/usuário
IPINFO="https://ipinfo.io/${PAM_RHOST}"
# Mensagem Formatada
MESSAGE="🔰<b><i>Raspberry SSH</i></b>🔰
👤 <b>Usuário:</b> (<code>$PAM_USER</code>)
▫️ <b>IP Origem:</b> <code>$PAM_RHOST</code>
▫️ <b>Servidor:</b> <code>$SRV_HOSTNAME</code>
▫️ <b>Data:</b> $DATE
▫️ <b>Serviço:</b> $PAM_SERVICE ($PAM_TTY)
▫️ <b>Localização:</b> <a href='$IPINFO'>Ver no IPInfo</a>"
#######################
# ENVIO
#######################
# Envia em background para não travar o login do usuário
(
curl -s --max-time 10 -d "chat_id=${USERID}" \
-d "text=${MESSAGE}" \
-d "disable_web_page_preview=true" \
-d "parse_mode=HTML" \
"$URL" > /dev/null 2>&1
) &
echo "$DATE: Alerta enviado para $PAM_USER vindo de $PAM_RHOST" >> $LOG_FILE
Make the script executable this comand:
sudo chmod +x /etc/pam.scripts/login-notification.sh
Edit file sudo or nano vi /etc/pam.d/sshd and add the following to the end:
# SSH Alert script
session required pam_exec.so /etc/pam.scripts/login-notification.sh
This will trigger the script every login and every logout and you will get notified by telegram about ssh logins.
├───📄 README.md
├───📄 image.png
└───📄 ssh-logo.png\
Credits:(https://github.com/marcogreiveldinger/videos/tree/main/ssh-login-alerts)
This repository is a personal backup, as I made some changes to the code I thought it would be better.
Credits are cited and maintained
Big hug.
up