Just a header with nothing in particular
Its been 3 months since i dived into the world of blue teaming and i have to say, creating and defending is just as interesting as breaking.
This journey includes building tools, writing scripts to aid in different assessments and generating easily consumable reports.
Overview
One of the best things in doing so is having notifications fire up on your phone when a task is completed on your VPS. So in this post, i will highlight a simple example of receiving a notification once an action is done using slack.
N/B Discord is a good alternative as well.
I will use a simple SSH Login notification. From this, one can be creative and explore its endless abilities.
The Entire Process
Slack Setup: Web hooks
First we have to setup incoming web hooks. They enable applications to communicate with slack by posting messages, and slack receiving them.
- Sign in to your slack account and create a web app.
- Enable Incoming Webhooks
- Activate Incoming Webhooks
- Create a new channel to receive the alert. From the App home page, click on Add channel.
Give it a name, description and privacy status as in the view. - Authorize the app to access the created channel.
The new webhook should look like this: https://hooks.slack.com/services/TQFxxxxxxx/B0xxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx
SSH configuration
- Create a file called “sshnotify.sh” or really any name you choose. Paste the code below in the file created.
#!/bin/bash
PATH=/bin:/usr/bin
if [ “$PAM_TYPE” != “close_session” ]; then
url=”https://hooks.slack.com/services/TQXXXXXX/XXXXXXXX/webhook-token-goes-here”
channel=”#ssh-notify”
host=”$(hostname)”
content=”\”attachments\”: [ { \”mrkdwn_in\”: [\”text\”, \”fallback\”], \”fallback\”: \”SSH login: $PAM_USER connected to \`$host\`\”, \”text\”: \”SSH login to \`$host\`\”, \”fields\”: [ { \”title\”: \”User\”, \”value\”: \”$PAM_USER\”, \”short\”: true }, { \”title\”: \”IP Address\”, \”value\”: \”$PAM_RHOST\”, \”short\”: true } ], \”color\”: \”#F35A00\” } ]”
curl -X POST –data-urlencode “payload={\”channel\”: \”$channel\”, \”mrkdwn\”: true, \”username\”: \”SSH Notifications\”, $content, \”icon_emoji\”: \”:inbox-tray:\”}” “$url” &fi
The above are bash variables. They can be modified according to user preference.
- Save the file to a path. I chose “/etc/ssh/sshnotify.sh“
- chmod +x /etc/ssh/sshnotify.sh . This makes it executable.
- Edit the file “/etc/ssh/sshd_config” using your favorite text editor. At the end of the file, add the line
ForceCommand “/etc/ssh/sshnotify.sh“. This allows the file execute the script when an ssh login is allowed. - Try to ssh into your server.
You should get a slack alert as the one below
Why the SSH alerts?
This may be helpful in one major way. Real time alerts.
Since alerts fire up immediately an SSH session is initiated, it is possible to identify (un)authorized access to your server.
Some information captured on your slack channel include:
- User who logged in successfully.
- IP address used to login
- Time of login
With this simple tutorial, we can scale up to larger projects. In a future blog, i will highlight how i use this in a large in large scale projects.