Send a message to teams channel on Linux server SSH connexion

blueflow|2 years ago

This is done via profile.d and can be circumvented by executing anything else than a login shell:

  ssh host /bin/sh -i

Better would be enabling PAM via sshd_config and generating the message from there.

Ajunne|2 years ago

Or to actually get a login shell, but without loading the profile:

> ssh host -t "bash --noprofile"

e12e|2 years ago

See eg this for inspiration:

https://askubuntu.com/questions/179889/how-do-i-set-up-an-em...

zokier|2 years ago

there is also sshd ForceCommand that could be used here

pimlottc|2 years ago

Original title: "Alert via Teams when user logon via SSH". Capitalization is important since it's actual Microsft Teams.

taskforcegemini|2 years ago

if a company uses generic names like "apple" or "teams" for their brands, any confusion is on them. maybe something more specific like "ms-teams" should be used.

Mooty|2 years ago

I've copied a project that basically sends a message to telegram with informations when someone connects on a linux server.

But this time it's for MS Teams channels, which is possible through Webhooks.

I thought that might be interesting for other persons so I share :) It can probably be adapted to any other webhooks, as soon as webhook urls accepts the JSON sent.

calvinmorrison|2 years ago

I think, going off the auth log is better, or just logs in general. Build one script that matches regex patterns and sends alerts and you can monitor for a lot more than just logins.

heywoodlh|2 years ago

This is what I use for my home lab running NixOS:

https://github.com/heywoodlh/nixos-configs/blob/d5b0ffbcc4cb...

This script is so nice because it's so simple: it follows the journalctl output of sshd.service and then sends a push notification to me through Gotify's CLI when journalctl's output matches what I set $grep_regex_pattern to (I just need to remember to setup gotify when I setup my server). The best part is that it's so easy to modify this script for ANY systemd service that is using journalctl.

I alert on all successful and failed attempts, because in my home lab, I should be the only one logging in -- so I don't really get notifications unless I'm working on something. It's helped me a few times when I've accidentally left port 22 exposed to the world on some VPS' -- reminding me to add firewall rules to reduce access.

EDIT: clarified that sshd-montior sends alerts when matching regex pattern

ca_tech|2 years ago

May want to add a proxy config to pass proxy information to the curl command. I would expect that some of the more important servers to get alerted about are those NOT able to access the internet directly.

ta1243|2 years ago

I'd personally base the alert on the syslog message as it comes in but YMMV

hoppla|2 years ago

Cool idea, but I would have implemented this as a PAM-script rather than as a user profile script.

high_priest|2 years ago

This, but for Matrix network! Man, the possibilities with an alerting system like this!

tetris11|2 years ago

Forgive my lack of imagination, but what possibilities other than printing a message "User X has logged in on System Y"

heyoni|2 years ago

If this means never having to open the Teams client ever again then I’m very excited.

petemir|2 years ago

I understood just as incorrectly as you :), but finally got what it does from others' comments. Clearly some editorial work could be used to disambiguate the title...

woopwoop24|2 years ago

tell me you are french, by not telling me you are french ;) "connexion" :D

bandrami|2 years ago

20 years ago this capability was bog-standard for any team communication protocol. We've lost so many good workflows in the 21st century.

bombolo|2 years ago

We have logging and remote logging. If you don't check the logs isn't the fault of modernity.

19 comments