It's handy to know who's logging into servers around your projects. Slack offers a beautiful way to do this in combination with pam.d.
We're assuming you're using a CentOS-derived OS for locations, but this should work on any *nix-based OS with pam.d enabled.
1. Add an incoming webhook in Slack -- navigate to:
https://YOUR_DOMAIN.slack.com/apps/manage/custom-integrations
We recommend naming the spot something that is recognizable; that way it won't get deleted in the future.
Make sure to copy the Webhook URL from the resulting page.
2. Add an SSH script to your server
Add and make executable (chmod+x) file to /etc/ssh/scripts/sshnotify.sh
(note Make sure to replace <YOUR SLACKWEBHOOK>
with the URL from step 1 and #channel
with the channel you want notifications going to)
if [ "$PAM_TYPE" != "close_session" ]; then
url="<YOUR SLACK WEBHOOK>"
channel="#channel"
host="$(hostname)"
content="\"attachments\": [ { \"mrkdwn_in\": [\"text\", \"fallback\"], \"fallback\": \"SSH login: $PAM_USER connected to \`$host\`\", \"text\": \"SSH login to \`$host\`\", \"fields\": [ { \"title\": \"User\", \"value\": \"$PAM_USER\", \"short\": true }, { \"title\": \"IP Address\", \"value\": \"$PAM_RHOST\", \"short\": true } ], \"color\": \"#F35A00\" } ]"
curl -X POST --data-urlencode "payload={\"channel\": \"$channel\", \"mrkdwn\": true, \"username\": \"SSH Notifications\", $content, \"icon_emoji\": \":inbox-tray:\"}" "$url" &
fi
exit
3. Add the script to your pam.d
sudo echo "session optional pam_exec.so seteuid /etc/ssh/scripts/sshnotify.sh" >> /etc/pam.d/sshd
4. Verify the installation
Log out and log back into your box to verify a notice hits your channel of choice.
Top comments (1)
This post is 2 years old, anyway I'm using your tip.
Here is my feedback:
#!/bin/bash
) in order to avoid exit code 8thanks for this tips π