SSH Login Notification Scripts via Pushover

README.md

SSH Login Notification Scripts via Pushover

Makes use of the Pushover API to send native notications for both successful and failed login attempts to your SSH server.

Login script reference here

Failed login script reference here

Notes:

• Ensure that you have set your Pushover API and user keys at the top of each script before using
• You can sign up for a Pushover account here and register for a Pushover API key here
• These scripts can be placed in any folder, however I have decided on /etc/ssh for consistency and to place them among ssh config files.
• Installing the script for failed login attempts is risky, as messing up a file may screw up your system. Be careful when editing PAM files in general. Backups are a good idea.

Installation

login-notify.sh

This script will notify you of a successful login

1. Place script inside of /etc/ssh and allow script to be executable by running:

sudo chmod +x /etc/ssh/login-notify.sh

2. Then run:

echo "session optional pam_exec.so seteuid /etc/ssh/login-notify.sh" | sudo tee -a /etc/pam.d/sshd

This will run the script on successful authentication into an ssh session.

4. If everything was successful, upon your next successful login, you should recieve a Pushover notification!

failed-login-notify.sh

This script will notify you of a failed login attempt

1. Place script inside of /etc/ssh and allow script to be executable by running:

sudo chmod +x /etc/ssh/failed-login-notify.sh

2. Edit the common-auth file by doing:

sudo nano /etc/pam.d/common-auth

You can replace nano with your preferred text editor. You can create a backup of your current common-auth file by doing sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth.bkup. This is so you can revert to it in case something goes wrong.

3. Find the line below:

auth    [success=1 default=ignore]      pam_unix.so nullok_secure

and change success=1 to success=2. This is so that the script does not run if the login was successful. THIS IS IMPORTANT OR YOU WILL NOT BE ABLE TO LOGIN.

4. Add this line directly below the line in step 3:

auth    [default=ignore]                pam_exec.so seteuid /etc/ssh/failed-login-notify.sh

5. Save and close. You can test this script by attempting to SSH into the server and typing in an incorrect password. If you want to turn this behavior on for physical logins as well, simply remove the if condition in the script testing for whether "$PAM_SERVICE" = "sshd".
6. If everything was successful, you should recieve a Pushover notification!

failed-login-notify.sh

#!/bin/sh

# Script to send push notification with Pushover on failed login attempt
# reference https://unix.stackexchange.com/questions/87225/pam-action-on-unsuccessful-login on how to get installed

# Add Pushover API key and user key here:
PUSHOVER_API_KEY=""
PUSHOVER_USER_KEY=""

# Notification details
title="Failed login attempt on `hostname`"
message="Attempted login to $PAM_USER from $PAM_RHOST"

# ------------------------------------------------------------------------

if [ "$PAM_TYPE" != "close_session" -a "$PAM_SERVICE" = "sshd" ]; then
	curl -s -F "token=$PUSHOVER_API_KEY" \
			-F "user=$PUSHOVER_USER_KEY" \
			-F "title=$title" \
			-F "message=$message" https://api.pushover.net/1/messages.json
fi

login-notify.sh

#!/bin/sh

# Script to send push notification with Pushover on login
# move script to /etc/ssh
# And run:
# echo "session optional pam_exec.so seteuid /etc/ssh/login-notify.sh" >> /etc/pam.d/sshd

# Add Pushover API key and user key here:
PUSHOVER_API_KEY=""
PUSHOVER_USER_KEY=""

# Notification details
title="Login on `hostname`"
message="User $PAM_USER just logged in from $PAM_RHOST"

# ------------------------------------------------------------------------

if [ "$PAM_TYPE" != "close_session" -a "$PAM_SERVICE" = "sshd" ]; then
	curl -s -F "token=$PUSHOVER_API_KEY" \
			-F "user=$PUSHOVER_USER_KEY" \
			-F "title=$title" \
			-F "message=$message" https://api.pushover.net/1/messages.json
fi