29 Aug 2016, 16:22

ssh login push event

Let’s set up a Push Notification Service for each login that successfully happens over SSH. Most mobile apps on phones use push notifications these days for their notifications, and I think getting a push notification on your phone when someone logs into your server is rather handy and neat.

Today we get some free to use push notification services on the net such as PushBullet, they have an App you can download too and a browser extension, which we will do later in the guide. The main requirement for a good push service is that you want them to provide you with an API interface that you can call.

Here’s what we’re going to do. Assume I have a standard Ubuntu Server, let’s say 16.04 LTS.

What’s required?:

  1. Server: A Linux server would be handy, you can test this on a Linux VM too if you want to try it first, the only requirement is internet access.
  2. Push Service: For this guide, I will use PushBullet. They are stable and fast! Register an account with the service you end up choosing.
  3. Mobile App: I will download the PushBullet App on my mobile phone, you can also install the browser extension.
  4. Register Devices: In PushBullet, once you have a registered account, go ahead and register a device on the account, like a mobile phone using the App or a browser using the browser extensions they provide.
  5. Generate Access Token: Login to your PushBullet portal and select “Settings”, then on the “Account” page you want to add an Access Token this is something we will use to query the API with.
  6. Script: We will develop a script that pulls a few environment variables into a cURL request that polls the API to send the Push Notification.
  7. Login Trigger: We will place the script we developed into the /etc/profile file, this will execute the script once the shell loads for any user that logs in.

Now we create a shell script on the Linux server, lets call it ssh_notify.sh and place it somewhere “hidden” like /usr/bin/.scripts/ssh_notify.sh … Just to make it less obvious in case of a breach I place it in a hidden folder (indicated by the “.” infront of my folder name).

Script Content.

  1. Replace ACCESS_TOKEN_HERE with your Access Token generated on the site.
  2. Replace TITLE_HERE with the title you want displayed on your push notification.
  3. You might need to tweak the variables a little depending on your system and output of your environment variables.
LocalIPaddress=$(echo $SSH_CONNECTION | awk '{ print $1 }')
RemoteIPaddress=$(echo $SSH_CONNECTION | awk '{ print $3 }')
Username=$(echo $USER | awk '{ print $1 }')
NOW=$(date +"%Y %m %d %T")
Body=$(echo $USER' logged into '$RemoteIPaddress' from '$LocalIPaddress' at '$NOW)
curl -s --header 'Access-Token: ACCESS_TOKEN_HERE' -X POST https://api.pushbullet.com/v2/pushes --header 'Content-Type: application/json' --data-binary '{"type": "note", "title": "TITLE_HERE", "body": "'$USER' login from '$LocalIPaddress'"}' > /dev/null

You can test this script by running it using

.You should get a Push notification on your phone with the user name that logged in and the IP address.

Now, we need a mechanism to trigger that script when someone successfully logged in, for this we are going to use the

/etc/profile file 
, we don’t want to see any failed login attempts.

Edit the /etc/profile file and add the location of the script at the bottom (like below example).


Now you can logout and log back in to test.

NOTE: Remember that you are sending a push notification to the devices in the default group specified in the Pushbullet Account. So you can add multiple devices in there to be notified of logins, handy when more than one person needs to be notified.