├── README.md
└── ssh-log-alert.sh


/README.md:
--------------------------------------------------------------------------------
 1 | ## Scope
 2 | Fail2ban is dope and SSH is quite secure, but what if someone still manages to authenticate to your machine e.g. by using saved/harvested credentials? Receive email alerts on successful ssh logins based on a predefined IP whitelist OR a predefined IP country origin whitelist.  
 3 | **Essentially:** IF (ssh successful authentication ip address NOT IN ip whitelist) OR (ssh successful authentication ip address country of origin NOT IN country whitelist); then send email notification;
 4 | 
 5 | **Note:** Check [ssh-log-alert using mailgun](https://github.com/t3l3machus/ssh-log-alert) for a more secure and elegant version of this script.
 6 | 
 7 | ## Notification
 8 | ![Notification example.png](https://i.ibb.co/550xtBv/logalert.png)
 9 | 
10 | ## Requirements
11 | 1. python3
12 | 2. `sudo apt install geoip-bin`
13 | 3. An existing or preferably a new and dedicated gmail account for sending the alerts. The account must be configured to accept Less secure app access (go to --> Manage your google account/Security/Less secure app access/turn on).
14 | 
15 | ## Configuration
16 | Edit the script and:
17 | 1. replace your gmail authentication data and recipient email address.
18 | 2. edit variables `country_whitelist` OR `ip_whitelist` to suit your needs.
19 | 
20 | ## Usage
21 | `sudo chmod +x ssh-log-alert.sh`  
22 | 
23 | There are two ways to use this script:
24 | 1. Simply run the script (as root) which will result in a live log of every succesfull ssh authentication as well as an indication of email alert trigger success/failure, when a condition is met (you should test it that way also).  
25 | `./ssh-log-alert.sh`
26 | 2. Add script to the root crontab and have it run in the background when the machine starts:  
27 | `crontab -e`  
28 | then add line:  
29 | `@reboot /bin/bash /path/to/ssh-log-alert.sh`  
30 | reboot the machine and you are good to go (`reboot now`).
31 | 


--------------------------------------------------------------------------------
/ssh-log-alert.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #
 3 | # Author: Panagiotis Chartas
 4 | # Website: https://github.com/t3l3machus
 5 | # Requirements: apt install geoip-bin
 6 | 
 7 | #Gmail authentication data
 8 |  export from_address="YOUR-SENDING-ACCOUNT@gmail.com"
 9 |  export passwd="Send1ngAcc0untP@sswd" 
10 | 
11 | #Recipient email address
12 |  export to_address="YOUR-RECEIVING-ACCOUNT@whatever.com"
13 | 
14 | #Configuration
15 | country_whitelist="" #Leave blank to enable ip_whitelist check. Example: "China England"
16 | ip_whitelist="" #Example: "84.51.23.123 56.10.12.96"
17 | 
18 | #Check if both whitelists are empty
19 | if [ ${#country_whitelist} -eq 0 ] && [ ${#ip_whitelist} -eq 0 ]; then
20 |     echo -e "\n[X] Ivalid alert trigger configurations. Check whitelists.\n"
21 |     exit 1
22 | fi
23 | 
24 | #Check if ip addresses in ip_whitelist are valid
25 | for address in $ip_whitelist; do
26 |     if ! [[ "$address" =~ ^(([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))\.){3}([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))$ ]]; then
27 |         echo -e "\n[X] IP whitelist contains one or more invalid addresses.\n"
28 |         exit 1
29 |     fi
30 | done
31 | 
32 | echo -e "\033[1m[*] SSH-LOG-ALERT is live\033[0m"
33 | 
34 | tail -n 0 -f /var/log/auth.log |
35 | while read -r line
36 | do
37 |     log_entry=$(echo "$line" | grep -i "accepted")
38 | 
39 |     if [ -n "$log_entry" ]; then
40 |         ip=$(echo "$log_entry" | cut -d " " -f 12)
41 | 
42 |         #write access log line to stdout
43 |         echo "$log_entry"
44 | 
45 |         #Get origin country
46 |         country=$(geoiplookup "$ip" | cut -d " " -f 5)
47 |         country=$([ "$country" == 'Address' ] && echo "the Internal Network" || echo "$country")
48 | 
49 |         #Check if ip country origin in country whitelist
50 |         if [ -n "$country_whitelist" ]; then
51 |             #Check if geoip in country whitelist
52 |             echo $country_whitelist | grep -w -q $country
53 |         #Check if ip in whitelist
54 |         elif [ -n "ip_whitelist" ]; then
55 |             echo $ip_whitelist | grep -w -q $ip
56 |         fi
57 | 
58 |         #Send notification if matching codition
59 |         if (($?)); then
60 |             server_ip=$(curl ident.me -s) #You could change this to the machine's internal ip if the sshd is not publicly accessible
61 |             export subject="SSH-LOG-ALERT - Intruder!!!"
62 |             export text="Someone logged in $(hostname) ($server_ip) from $country: $log_entry"
63 |             python3 -c 'import smtplib;from os import environ;server = smtplib.SMTP_SSL("smtp.gmail.com", 465);server.login(environ["from_address"], environ["passwd"]);message = "Subject: {}\n\n{}".format(environ["subject"], environ["text"]);server.sendmail(environ["from_address"], environ["to_address"], message);server.quit()'
64 |             if ! (($?)); then echo -e "\033[38;5;82mAlert triggered!\033[0m"; else echo -e "\033[1;91mAlert failed.\033[0m"; fi
65 |         fi
66 |     fi
67 | done
68 | 


--------------------------------------------------------------------------------