Hamalaon

Receive SSH login notifications in Telegram

by

Admin
in

If you want to receive a notification about new ssh login to your Linux server, this article is for you.

Introduction

Implementing a simple notification script for SSH logins on a Linux server is a crucial step for enhancing security, monitoring, and accountability. Such a script provides real-time alerts whenever a user logs in, helping to detect unauthorized access. By including key details like the username, IP address, and timestamp, it allows to quickly identify unusual behavior, track login origins, and respond to potential threats.

Requirements

Before starting, you should already have a Telegram bot and Linux server. In this article I am using Debian 12, but the process will be similar for other distributions.

Get your user id

Find your bot in telegram by searching the name you set for the bot.

Start the conversation and write something to bot:

Now you can query your chat id from bot. Login to your server and execute following command:

curl -s "https://api.telegram.org/bot{TOKEN}/getUpdates" | jq -r '.result[0].message.from.id'

As a result you will get a number, 1234567890 for example, which is your chat id.

Server script

To be able to send a login message from bot, you need a script, which will run on every user login and send the details about this login to the bot API.

Creaate a script file:

nano /usr/share/telegram.sh

Paste script content:

#!/bin/bash

# Check if this is an active SSH login session
if [[ -n "$SSH_CONNECTION" ]]; then
    # Check if this is the first process in the session (avoiding logout triggers)
    if [[ "$PAM_TYPE" == "open_session" ]]; then
        # Telegram Bot API Token
        BOT_TOKEN="telegram_bot_token"

        # Telegram Chat ID
        CHAT_ID="chat_id"

        # Get login details
        USER=$(whoami)
        IP_ADDRESS=$(echo $SSH_CONNECTION | awk '{print $1}')
        DATE_TIME=$(date '+%Y-%m-%d %H:%M:%S')
        HOSTNAME=$(hostname)

        # Create the message
        MESSAGE="*New Login Detected*
User: $USER
IP Address: $IP_ADDRESS
Hostname: $HOSTNAME
Time: $DATE_TIME"

        # Send the notification to Telegram
        curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage" \
             -d chat_id="${CHAT_ID}" \
             -d parse_mode="Markdown" \
             -d text="$MESSAGE"
    fi
fi

Don’t forget to fill in correct API token provided by Botfather and Chat ID obitained in previous step.

Assign execution permission:

chmod +x /usr/share/telegram.sh

Configure login action

Then it’s time to automate this script run upon ssh login. To do this, open the PAM configuration file:

nano /etc/pam.d/sshd

Add the following line at the end:

session optional pam_exec.so seteuid /usr/share/telegram.sh

Restart the SSH service:

systemctl restart sshd

Now, every time a user logs in via SSH, a notification will be sent to your Telegram bot!

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *