Trigger webhook when someone SSH's into server

August 4, 2019 787 views
Ubuntu Security Automated Setups

I have an ubuntu 18.04 server I use as a long-running pet (testing and development) server.

Is there a simple way to trigger a webhook (i.e. send me a Slack message) when anyone (including myself) SSH’s into the server?

I’d want to include the connection’s local IP address or host information.

3 Answers

Hello,

There is a way to configure this. You can use a PAM rule and setup a simple bash script to trigger the webhook whenever someone ssh’s into your server.

First you can follow this tutorial and see how to setup the incoming webhooks in Slack.

https://api.slack.com/incoming-webhooks

Now let’s jump into what’s need to be done on the server itself. We need to track down the ssh logins on the server itself and also make sure this triggers a webhook to our slack channel. We will use PAM for this. Follow the steps bellow.

PAM is a framework for many UNIX flavours, including GNU/Linux and macOS, for creating authentication modules that allows the system to perform advanced login strategies, like forcing users to log in through hardware keys or using two factor authentication.

One of these modules is pam_exec.so. It can run a program on different stages of the server lifecycle, such as after a successful login is made or after a logout. This program will receive information about the login event, including the user and the hostname, if the login is made remotely.

To add an execution rule that will run a program every time a successful log in is done through SSH, add the following information to your /etc/pam.d/sshd file — this file contains the PAM rules triggered during SSH login:

session   optional   pam_exec.so   /usr/local/sbin/sshd-login

PAM configuration files, like many other UNIX configuration files, contain whitespace-separated values. Every word in a rule is an argument for that rule. There is a comprehensive explanation about these arguments on pam.d(5), but the most important things to grasp here is that session rules will trigger before and after an user is given service. The program I’m trying to execute is /usr/local/sbin/sshd-login

You can use the following bash script:

#!/bin/bash

WEBHOOK_URL="https://discordapp.com:443/api/webhooks/<hook URL>"

# Let's capture only open_session and close_session events (login and logout).
case "$PAM_TYPE" in
    open_session)
        PAYLOAD=" { \"content\": \"$PAM_USER logged in (remote host: $PAM_RHOST).\" }"
        ;;
    close_session)
        PAYLOAD=" { \"content\": \"$PAM_USER logged out (remote host: $PAM_RHOST).\" }"
        ;;
esac

# Let's only perform a request if there is an actual payload to send.
if [ -n "$PAYLOAD" ] ; then
    curl -X POST -H 'Content-Type: application/json' -d "$PAYLOAD" "$WEBHOOK_URL"
fi

The script will wrap the values for those variables into a JSON payload and perform an HTTP request using curl to send the payload to the webhook.

Run the following programs on your terminal, and check that the hooks are triggering on your chat room.

PAM_USER=foo PAM_RHOST=bar PAM_TYPE=open_session /usr/local/sbin/sshd-login
PAM_USER=foo PAM_RHOST=bar PAM_TYPE=close_session /usr/local/sbin/sshd-login

Now open a new shell window or tab and log in to your server. You should see your real username and host appearing on the chat log. Try to log out as well.

Conclusion

The PAM rule runs a script whenever someone logs in or logs out via SSH into from server. The executed script takes a few environment variables provided by PAM with information about the login event and sends them to my Discord server into a private channel using a webhook.

One thing to notice is that this will only track successful login events.

Hope this helps.

Alex

Hello,

This should be possible using the Slack API and creating WebHooks.

You’ll need to add an incoming WebHook in Slack.

To do so, navigate to

https://YOUR_DOMAIN.slack.com/apps/manage/custom-integrations

Remember to copy the WebHook URL from the resulting page.

Create an SSH script on your server

You can name the script and place it anywhere you want. For this example, I’ll lace it in /usr/sbin/ and name it sshnotify. The full path would be /usr/sbin/sshnotify .

The script should contain something like

#!/bin/bash
if [ "$PAM_TYPE" != "close_session" ]; then
        url="<YOUR SLACK WEBHOOK>"
        channel="#channel"
        host="$(hostname)"
        content="\"attachments\": [ { \"mrkdwn_in\": [\"text\", \"fallback\"], \"fallback\": \"SSH login: $PAM_USER connected to \`$host\`\", \"text\": \"SSH login to \`$host\`\", \"fields\": [ { \"title\": \"User\", \"value\": \"$PAM_USER\", \"short\": true }, { \"title\": \"IP Address\", \"value\": \"$PAM_RHOST\", \"short\": true } ], \"color\": \"#F35A00\" } ]"
        curl -X POST --data-urlencode "payload={\"channel\": \"$channel\", \"mrkdwn\": true, \"username\": \"SSH Notifications\", $content, \"icon_emoji\": \":inbox-tray:\"}" "$url" &
fi
exit

Once you have saved the file, don’t forget to make the file executable. To do so run the following:

chmod +x /usr/sbin/sshnotify

Additionally, you’ll need to install pam.d. A simple apt-get should do the trick :

sudo apt-get install pam.d

Add the script to your pam.d

sudo echo "session optional pam_exec.so seteuid /usr/sbin/sshnotify" >> /etc/pam.d/sshd

That’s it, you should be good to go now.

Additionally, Slack are developing a new way to create what you are looking for by creating Apps. Having said that, for now WebHooks are the way to go in my personal opinion.

Please do let me know how it goes.

[deleted]
Have another answer? Share your knowledge.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!