
Posting successful SSH logins to Slack - sandm
http://sandrinodimattia.net/posting-successful-ssh-logins-to-slack/
======
duggan
This is neat! Threw together an Ansible role for it:

[https://github.com/duggan/ansible-slack-notify-
ssh](https://github.com/duggan/ansible-slack-notify-ssh)

------
_yy
Is Slack really the right place for security-critical notifications?

~~~
Tepix
Not in my book. Slack seems to be really cool but since it's not self-hosted
and owned by a US entity, I'll stay clear.

~~~
pc86
It's an ssh login notification with a user and IP address. It's not notifying
everyone what the new launch codes are. Let's not overstate it.

~~~
Tepix
I'm not referring to the SSH logging, I mean slack in general.

------
lazyant
If you want to send email on login, add in /etc/profile :

echo "`whoami` logged in at `date` from `echo $SSH_CLIENT`" | mail -s
"`hostname` login" youremail@example.com

Note that people can still ssh execute remotely etc.

~~~
mscman
You'll definitely want to add a '&' at the end of that line so that you don't
delay user logins if the network is down or mail barfs.

~~~
lazyant
right, actually I do have a delay in a server with no mail where it fails :-)

------
rmdoss
I recommend using something like OSSEC to watch your logs and also tie it to
Slack/Pagerduty.

This post explains how to set it up:

[https://blog.sucuri.net/2016/01/server-security-
integrating-...](https://blog.sucuri.net/2016/01/server-security-integrating-
ossec-with-slack-and-pagerduty.html)

------
esseti
I did a similar thing a couple of days ago. I just added this (with the
correct values) in the `sshrc` file inside `/etc/ssh` and enabled a webhook.
that's it.

ip=`echo $SSH_CONNECTION | cut -d " " -f 1`

curl -X POST --data-urlencode 'payload={"channel": "#<your channel>",
"username": "SSH Login watcher", "text": "User '${USER}' just logged in from
'${ip}'", "icon_emoji": ":robot_face:"}'
[https://hooks.slack.com/services/<rest](https://hooks.slack.com/services/<rest)
of the webhook>

------
CaptSpify
I do the same thing, except I email the logins to myself with SEC:
[https://simple-evcorr.github.io/](https://simple-evcorr.github.io/)

------
Kenp77
Elegant. Thank you! Is there a way to extend it to override DND?

~~~
sandm
That's a great idea. But I didn't find any docs that explain how to override
DND. I opened a feature request instead, so we'll see how it goes :)

~~~
jerf
That kind of gets you into this sort of problem:
[https://blogs.msdn.microsoft.com/oldnewthing/20110310-00/?p=...](https://blogs.msdn.microsoft.com/oldnewthing/20110310-00/?p=11253)

If you start overriding DND, now the user is going to want super-DND. Which
somebody will then want to override, and so on. The correct solution is that
your users need to not set DND when they in fact need to be disturbed, and
your systems shouldn't be disturbing unnecessarily, and to the extent that's a
_really hard problem_ , well, yes, it very much is, but an unboundedly-large
hierarchy of "bother that person, no don't bother me, SUPER bother that
person, no SUPER don't bother me, SUPER MEGA bother that person" isn't part of
the solution set.

~~~
falcolas
The biggest problem with DND in my book is that when first introduced it was
enabled automatically, and not super obvious that it was enabled.

This caused more than a few missed announcements and made escalation hard for
a bit.

------
hoorayimhelping
Love this, great idea! I've been trying to setup useful Slack integrations
lately and this is a really clever use of them.

------
tinco
Excellent. I've been thinking about having a SSHD keylogger post to slack (or
some other log). It's crazy that sshd doesn't have this functionality built-
in. It's so important to know what your admins are executing on your machines.
Aside from the fact that they might have been compromised, it's just good to
know what sort of general administration is being done.

~~~
noja
> It's so important to know what your admins are executing on your machines...

Micromanagement at its finest!

> it's just good to know what sort of general administration is being done.

Your change management process will give you an overview of what your admins
are doing.

~~~
_yy
Incident response. When one of your admin accounts is compromised, you'd want
to know what the attacker executed.

~~~
ultramancool
Yes you would - but why just SSH? Wouldn't auditd execve syscall logs sent to
a logstash server be better? It'd handle compromises other than SSH too.

~~~
_yy
Yes - though there's more to a SSH session than executing commands
(interacting with interactive editors, port forwarding, etc.)

------
codercotton
srvAudit also does this, though it's still early in development. srvaudit.com

