Alerts for Logins (LogBot)

TL;DR

Really quick bash script to alert via Telegram the new (SSH) system logins.

Introduction

Let’s say you have a SSH service running on any kind of existing server running Linux.

Third-party software for reading your logs?
I bet you’ll prefer your seedy scripting skills for this simple task!

I will show you how alert new system logins in your Linux Distribution.

Code available in Logbot

---

Tested on Debian Based Distribution

Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

Tested on Debian, but I’m sure you’ll find out how to adapt and deploy in your favorite Distribution or Operative System.

---

Logbot details

Read the logfile

First find out where your system logs are logged in your current distribution, in this case /var/log/auth.log.

Make sure you have the sufficient privileges to read this log files or you are part of sudoers!
You may also want to create a specific user for it. :)

Let’s use tail for reading the endfile.
When you read a logfile you really want to follow the actual name of the file, not the file descriptor. Beacuse as you might know, the logfiles are recreated, rotated.

This means, as you are reading a logfile, that you need the following flag: --follow=name --retry for reading it, and --retry for keeping it open and readable.

Here you have the man tail output for the those flags:

-f, --follow[={name|descriptor}]
    output appended data as the file grows;
--retry
    keep trying to open a file if it is inaccessible

With --follow (-f), tail defaults to following the file descriptor, which means that even if a tail’ed file is renamed, tail will continue to track its end.

This default behavior is not desirable when you really want to track the actual name of the file, not the file descriptor (e.g., log rotation). In that case you will need to use --follow=name.

That causes tail to track the named file in a way that accommodates renaming, removal and creation!

Filter the logfile out

Once the file is readable, filter it out!
With grep, egrep or fgrep.

grep will be used as it is the recommended one by the man but feel free to use the one that suits you the most.

The option --line-buffered allows writing output each time it appears a new line in the file, instead of having to wait to the buffer.

This is very important since speed is wanted and needed, there’s not time to wait buffer!

Check out your log files before filtering as I do

You will find the snippet at the end of this article.

Send to Telegram

As it is said in the beginning, this is a very fast scripting launchable, then curl will be used for sending messages trough Telegram’s API.

Obtain your:

• API Token
• Chat ID

The endpoint for sending messages is https://api.telegram.org/botTOKEN/sendMessage

More information about Telegram API here.

Final Script

#!/bin/bash

TOKEN="YOUR TOKEN"
ID="YOUR CHAT_ID"
URL="https://api.telegram.org/bot${TOKEN}/sendMessage"

sudo tail --follow=name --retry "/var/log/auth.log" | grep --line-buffered -ai -e "accepted password" -e "accepted publickey" |
while read -r line; 
do 
    ip=$(echo "$line" | awk '{print $11}')
    date=$(echo "$line" | awk '{print $3}')
    hostname=$(echo "$line" | awk '{print $4}')
    user=$(echo "$line" | awk '{print $9}')

    message="""
New login for "${user}"
System accessed from "${ip}"
Access hour -> "${date}"
Hostname -> "${hostname}"
    """
    
    curl -s -X POST $URL -d chat_id=$ID -d text="$message" > /dev/null

done;

Check out Logbot, where you will find how to leave it running as a service in your system!

Yay! You have it!