From: Joann Mõndresku Date: Sat, 20 Aug 2022 12:04:20 +0000 (+0300) Subject: SSH Alerts Landchad style. X-Git-Url: https://git.based.quest/%7B%7B?a=commitdiff_plain;h=09b162eb60ab39f549e774a9f78a620315380fca;p=web-old.git SSH Alerts Landchad style. --- diff --git a/articles/ssh-alerts-landchad-style.md b/articles/ssh-alerts-landchad-style.md new file mode 100644 index 0000000..5996d7b --- /dev/null +++ b/articles/ssh-alerts-landchad-style.md @@ -0,0 +1,132 @@ +How to setup SSH alerts like a landchad + +# Preface +I recently installed ntfy to enable UnifiedPush on several apps on my phone +in order to conserve battery life and make notifications work more real-time. +That gave me the idea that I can use this same idea for creating SSH intrusion +alerts for my server for that extra peace of mind. + +## Installing ntfy +Installing it is quite straightforward. You can find [guide for installing it on their website.](https://ntfy.sh/docs/install/) +In my instance, I had to install it for Ubuntu, so following commands had to +be executed: + +``` +curl -sSL https://archive.heckel.io/apt/pubkey.txt | sudo apt-key add - +sudo apt install apt-transport-https +sudo sh -c "echo 'deb [arch=amd64] https://archive.heckel.io/apt debian main' \ + > /etc/apt/sources.list.d/archive.heckel.io.list" +sudo apt update +sudo apt install ntfy +sudo systemctl enable ntfy +sudo systemctl start ntfy +``` + +Now this enables anonymous access and everything to your server. That is cool +and all if you wish to offer this for public, but it comes with its own +reprecussions. I wished to keep my instance private just to eliminate interference +with my own alerts and also have more trust in the system. +You do not want to deal with phishers using YOUR instance or bad actors to +derail you with false alerts. + +In order to privatize your instance, you need to open /etc/ntfy/server.yml and +edit the following: + +``` +auth-file: "/var/lib/ntfy/user.db" +auth-default-access: "deny-all" +``` + +This leaves you with a bare setup and may not fully suit your previously installed +services. In my case I had to create a reverse-proxy for it. +You can find the template for your preferred webserver in their docs. One thing +to keep in mind though with their nginx template, is that you will need to add +IPv6 listener manually should you use IPv6 on your server as it's absent. +Generate an SSL certificate using certbot and nginx plugin. + +Edit your configuration again as follows: + +``` +base-url: https:// +listen-http: "127.0.0.1:2586" # can be your preferred port too. +behind-proxy: true # only if reverse-proxy. otherwise false, listen-http to 0.0.0.0 and provide ssl certs as well in config. + +# optionally enable cache incase your push notif receivers go offline for prolonged time. +cache-file: /var/cache/ntfy/cache.db +cache-duration: "12h" +``` + +If you are also using Debian or Ubuntu, run `systemctl restart ntfy`. You should +now have a private instance of ntfy provided your reverse proxy worked out. +Next up you should create an admin account for your administrative needs with +`ntfy user add --role admin `. Use this when necessary. +You should also create your own user with `ntfy user add `. + +In order to make your instance UnifiedPush compatible, you need to give world +access to write to service URLs with `ntfy access everyone 'up*' write-only`. +Now you can give permissions for yourself as well - you can be generous here and +give read-write to everything with `ntfy access '*' read-write`. + +By now everything should be functioning as intended and your instance is compatible +with UnifiedPush and you can start receiving notifications through it. + +Install the ntfy mobile app from F-Droid or your preferred application library. +Go to settings of the app, add user pointing to your instance with credentials +of your previously created user. + +## Creating the monitor +Subscribe with your device to a new topic on your instance, I used "sysalerts" +myself. + +Next up, create a new monitor user on your server: `ntfy user add monitor`. +Give it permission to your ssh alerts topic. `ntfy access monitor 'sysalerts' write-only`. + +Create a script file in world-accessible path called "ssh_login.sh". +Paste the following and modify according to your setup: + +``` +#!/bin/bash +MONITOR="monitor:password" +CURTIME=$(date) +INSTANCE="your.based.server" +TOPIC="sysalerts" + +if [ "$PAM_TYPE" != "close_session" ]; then + if [ "$PAM_USER" == "git" ]; then + exit 0 + fi + ntfy publish \ + -u "$MONITOR" \ + --tags warning \ + --title "Successful SSH authentication" \ + "$INSTANCE/$TOPIC" \ + "There has been a successful login to ssh on cernodile.com. +User $PAM_USER from IP $PAM_RHOST on $CURTIME" +fi +``` + +Make it world-executable `chmod ugo+x ssh_login.sh` and edit `/etc/pam.d/sshd`. + +Append the following line to it: `session optional pam_exec.so seteuid /path/to/ssh_login.sh`. + +This will make the script be run every single time someone authenticates through SSH and also not block login if +the script is not absent. + +Just to be sure, keep your current SSH session and alive and try opening a second one. If everything is done +correctly, you should have a notification on your phone (or desktop if you subscribed on it as well). + +## Closing words +I understand this may not be a fully elegant solution and there can be security implications here. +I am open to improving this solution, a healthy dialogue is encouraged on the topic. So far this has been +working without an issue. You can easily set it up with a public provider too (nfty themselves have a public +instance!), but that would defeat the purpose of being a landchad. + +[The alert looks something like this (img size 33K)](/img/ssh-ntfy.png) + + +Thanks for reading, +- Cernodile + +;tags:privacy linux opensource tutorial +;description:Have you thought of creating a SSH intrusion alert system, but don't want to integrate a full on monitoring-stack such as Nagios? In this blog, I walk you through on installing ntfy, making it a UnifiedPush provider and a useful tool for monitoring your SSH logins. +;og_image: diff --git a/data/img/ssh-ntfy.jpg b/data/img/ssh-ntfy.jpg new file mode 100644 index 0000000..14c39cb Binary files /dev/null and b/data/img/ssh-ntfy.jpg differ diff --git a/data/img/ssh-ntfy.png b/data/img/ssh-ntfy.png new file mode 100644 index 0000000..3a3fa5b Binary files /dev/null and b/data/img/ssh-ntfy.png differ diff --git a/templates/header.html b/templates/header.html index 11a279e..b423a90 100644 --- a/templates/header.html +++ b/templates/header.html @@ -8,6 +8,6 @@ $OG_IMAGE $TITLE - +