Silver IT
Making Computers Fun Again

Simple SSH login notifications


If an attacker gains a foothold on one of your servers, they'll often try to extend their access by installing back doors. An easy way to "backdoor" a machine is to add an ssh key to a user's keyring.

This is a quick and simple trick to receive notifications on your phone anytime a user logs in to your server via ssh. Of course, you should be blocking ssh access to non-login accounts, using secure passwords or asymmetric keys, and/or firewalling off the ssh ports used.

First, you will need to set up notifications on, or self-host a ntfy server. Then, add these lines to your /etc/ssh/sshrc file, replacing "mysshlogins" with your ntfy topic:

# Replace this with your ntfy topic
curl --silent \
	-H "Title: $USER ssh'd in to $(hostname)" \
	-H "Priority: high" \
	-H "Tags: warning" \
	-d "$(journalctl -u ssh -o cat -n 2 | head -n1)" \${topic} >/dev/null

Note that the sshrc file doesn't need to be executable. The notifications you receive will look like this:

A screenshot of a ntfy notification

Then, if you get an unexpected notification, you know there was an unauthorized ssh access to your server and can take immediate action to impede the intrusion.

< Back to all posts