Truncate reverse engineering post, move some stuff for part two

[web-hugo.git] / content / posts / ssh-alerts-landchad-style.md

---
title: "How to setup SSH alerts like a landchad"
date: 2022-08-20T15:04:20+03:00
description: "Have you thought of creating a SSH intrusion alert system, but don't want to integrate a full on monitoring-stack such as Nagios? In this blog, I walk you through on installing ntfy, making it a UnifiedPush provider and a useful tool for monitoring your SSH logins."
tags: ['privacy', 'linux', 'opensource', 'tutorial']
aliases: ["/ssh-alerts-landchad-style.html"]
img: 'ssh-ntfy.jpg'
type: blog
draft: false
---

# Preface
I recently installed ntfy to enable UnifiedPush on several apps on my phone
in order to conserve battery life and make notifications work more real-time.
That gave me the idea that I can use this same setup for creating SSH intrusion
alerts for my server for that extra peace of mind.

## Installing ntfy
Installing it is quite straightforward. You can find [guide for installing it on their website.](https://ntfy.sh/docs/install/)
In my instance, I had to install it for Ubuntu, so following commands had to
be executed:

```
curl -sSL https://archive.heckel.io/apt/pubkey.txt | sudo apt-key add -
sudo apt install apt-transport-https
sudo sh -c "echo 'deb [arch=amd64] https://archive.heckel.io/apt debian main' \
    > /etc/apt/sources.list.d/archive.heckel.io.list"  
sudo apt update
sudo apt install ntfy
sudo systemctl enable ntfy
sudo systemctl start ntfy
```

Now this enables anonymous access and everything to your server. That is cool
and all if you wish to offer this for public, but it comes with its own
reprecussions. I wished to keep my instance private just to eliminate interference
with my own alerts and also have more trust in the system.
You do not want to deal with phishers using YOUR instance or bad actors to
derail you with false alerts.

In order to privatize your instance, you need to open /etc/ntfy/server.yml and
edit the following:

```
auth-file: "/var/lib/ntfy/user.db"
auth-default-access: "deny-all"
```

This leaves you with a bare setup and may not fully suit your previously installed
services. In my case I had to create a reverse-proxy for it.
You can find the template for your preferred webserver in their docs. One thing
to keep in mind though with their nginx template, is that you will need to add
IPv6 listener manually should you use IPv6 on your server as it's absent.
Generate an SSL certificate using certbot and nginx plugin.

Edit your configuration again as follows:

```
base-url: https://<your based domain or subdomain>
listen-http: "127.0.0.1:2586" # can be your preferred port too.
behind-proxy: true # only if reverse-proxy. otherwise false, listen-http to 0.0.0.0 and provide ssl certs as well in config.

# optionally enable cache incase your push notif receivers go offline for prolonged time.
cache-file: /var/cache/ntfy/cache.db
cache-duration: "12h"
```

If you are also using Debian or Ubuntu, run `systemctl restart ntfy`. You should
now have a private instance of ntfy provided your reverse proxy worked out.
Next up you should create an admin account for your administrative needs with
`ntfy user add --role admin <youradminuser>`. Use this when necessary.
You should also create your own user with `ntfy user add <user>`.

In order to make your instance UnifiedPush compatible, you need to give world
access to write to service URLs with `ntfy access everyone 'up*' write-only`.
Now you can give permissions for yourself as well - you can be generous here and
give read-write to everything with `ntfy access <user> '*' read-write`.

By now everything should be functioning as intended and your instance is compatible
with UnifiedPush and you can start receiving notifications through it.

Install the ntfy mobile app from F-Droid or your preferred application library.
Go to settings of the app, add user pointing to your instance with credentials
of your previously created user.

## Creating the monitor
Subscribe with your device to a new topic on your instance, I used "sysalerts"
myself.

Next up, create a new monitor user on your server: `ntfy user add monitor`.
Give it permission to your ssh alerts topic. `ntfy access monitor 'sysalerts' write-only`.

Create a script file in world-accessible path called "ssh_login.sh".
Paste the following and modify according to your setup:

```
#!/bin/bash
MONITOR="monitor:password"
CURTIME=$(date)
INSTANCE="your.based.server"
TOPIC="sysalerts"

if [ "$PAM_TYPE" != "close_session" ]; then
        if [ "$PAM_USER" == "git" ]; then
                exit 0
        fi
        ntfy publish \
        -u "$MONITOR" \
        --tags warning \
        --title "Successful SSH authentication" \
        "$INSTANCE/$TOPIC" \
        "There has been a successful login to ssh on cernodile.com.
User $PAM_USER from IP $PAM_RHOST on $CURTIME"
fi
```

Make it world-executable `chmod ugo+x ssh_login.sh` and edit `/etc/pam.d/sshd`.

Append the following line to it: `session optional pam_exec.so seteuid /path/to/ssh_login.sh`.

This will make the script be run every single time someone authenticates through SSH and also not block login if
the script is absent.

Just to be sure, keep your current SSH session and alive and try opening a second one. If everything is done
correctly, you should have a notification on your phone (or desktop if you subscribed on it as well).

## Closing words
I understand this may not be a fully elegant solution and there can be security implications here.
I am open to improving this solution, a healthy dialogue is encouraged on the topic. So far this has been
working without an issue. You can easily set it up with a public provider too (ntfy themselves have a public 
instance!), but that would defeat the purpose of being a landchad.

[The alert looks something like this (img size 33K)](/img/ssh-ntfy.png)


Thanks for reading,
- Cernodile