Get a Telegram alert on a SSH login with PAM

In a previous article, we saw how to receive an e-mail once an SSH connection is established on your server. Since e-mails are becoming a bit old school, we will see how to receive a message on Telegram via a bot that we will create.

To follow this article, it is necessary to follow the one previously mentioned. The only difference is that the Script file part must not be copied because it is this script that we are going to modify here.

Information and requirements

These elements are to be taken into consideration to follow this article:

Telegram bot

Creating a bot on Telegram is quite simple. Start a conversation with the bot BotFather which is itself a bot to manage yours.

To start the conversation with the BotFather, send a message to it.

/start

It will give you all the commands that you can send.

Create yours

To create a bot send /newbot.

Alright, a new bot. How are we going to call it? Please choose a name for your bot.

Choose a name for your bot. For this example, we will choose Test, so send Test

Good. Now let's choose a username for your bot. It must end in `bot`. Like this, for example: TetrisBot or tetris_bot.

Choose a username for your bot. In this example, we will choose ThePAMTestBot, so send ThePAMTestBot. By sending it, the BotFather will send you some information to talk with your brand new bot and also the token to access the HTTP API. Keep your token secure and store it safely, it can be used by anyone to control your bot. As soon as this article is finished, this bot will be deleted so don’t try to communicate with it.

For reasons of simplicity, I display this token.

1390824186:AAE-a336pYNwMqH41PjxJR-UP0xk_stWtWU

Before starting the conversation with your bot, check that it is active by making an HTTP request on the Telegram API. Be sure to add bot before the token.

curl https://api.telegram.org/bot1390824186:AAE-a336pYNwMqH41PjxJR-UP0xk_stWtWU/getUpdates
{"ok":true,"result":[]}

If you have the answer {"ok":true, "result":[]} it means that everything is good!

Take the first step to your bot

Open a conversation with your bot (t.me/username) so here (t.me/ThePAMTestBot) and send it /start.

To send a message to your bot via a HTTP request, you need to know the chat id. Send the same request again to retrieve this information.

curl -sSf https://api.telegram.org/bot1390824186:AAE-a336pYNwMqH41PjxJR-UP0xk_stWtWU/getUpdates | jq '.result[].message.from.id'

Here, I pipe the answer through jq to format the answer.

939838712

Send a message

To send a message via an HTTP request, you need the token and the chat id. Hit the route sendMessage with the POST method. Add the data via the -d flag, here the chat id via chat_id and the content of the message to be sent via text.

curl -sSf -X POST https://api.telegram.org/bot1390824186:AAE-a336pYNwMqH41PjxJR-UP0xk_stWtWU/sendMessage -d chat_id=939838712 -d text="First message via cURL" | jq
{
  "ok": true,
  "result": {
    "message_id": 2,
    "from": {
      "id": 1390824186,
      "is_bot": true,
      "first_name": "Test",
      "username": "ThePAMTestBot"
    },
    "chat": {
      "id": 939838712,
      "first_name": "Adrien",
      "type": "private"
    },
    "date": 1603918239,
    "text": "First message via cURL"
  }
}

PAM’s configuration

As I have said before, we are going to change the script that allows you to send a message to your bot instead of sending an e-mail.

Copy the following script into /etc/pam.scripts/ssh.

#! /usr/bin/env bash

if [ ${PAM_TYPE} = "open_session" ]; then
        /usr/bin/curl -sSf -X POST https://api.telegram.org/bot1390824186:AAE-a336pYNwMqH41PjxJR-UP0xk_stWtWU/sendMessage --data chat_id=939838712 --data text="[PAM] - a login was successful from $PAM_RHOST with user $PAM_USER." --output /dev/null
fi

exit 0

That’s it! From now on, as soon as an SSH connection is established, you will be immediately notified by the following message on Telegram.

[PAM] - a login was successful from $PAM_RHOST with user $PAM_USER.

Variables $PAM_RHOST and $PAM_USER will be replaced respectively by the source IP address that connected to your server and the user used to connect. Tune this message according to your needs.