How to Set Up SSH Login Notifications with IP geolocation

Server admins commonly use SSH to log in to Linux servers. They will disable login via password due to the ease of brute force attacks these days. The recommended practice is to only allow login to the servers using private/public keys. It is also good to set up SSH notifications with IP geolocation for better security. Admins will receive real-time notifications whenever anyone logs in to the servers. Getting an immediate notification when someone logs in is beneficial from a security viewpoint. It increases the chance that you can prevent an authorized party from doing real damage to your server. If you see a login for a suspicious region or ISP, you can take remedial action ASAP. A fast response to intrusion will give the bad actor no chance to steal your data. Pre-requisites to setup SSH notification with IP geolocation Our script will use the Web Service to query geolocation data using the user’s IP address. WS4 has data about Country, Region, City and ISP; more than enough for our notification example. That said, you can use a different package if you require more geolocation data. To use the Web Service, you need an API key. If you don’t have one, ip2 is an option: https://www.ip2location.com/web-service/ip2location In addition to the API key, you must also install and in your Linux server. The package is required to call the Web Service while the package is required to parse JSON response from the web service. jq wget wget jq SSH Login Notification Script To enable the SSH notification script to run upon login, the following code should be copied and pasted into your file. Replace with the actual Web Service API key. ~/.bashrc IP2LOCATION_API_KEY If you want to enable Slack notification, then replace with the actual URL. Otherwise, comment out the Slack-specific lines of codes. SLACK_WEBHOOK_URL Lastly, edit with the email address that will receive the notification. NOTIFICATION_EMAIL API_KEY="IP2LOCATION_API_KEY" SLACK_WEBHOOK="SLACK_WEBHOOK_URL" EMAIL="NOTIFICATION_EMAIL" IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)" if [ ! -z "$IP" ]; then RESULT="$(wget -q -O /dev/stdout 'https://api.ip2location.com/v2/?key='"$API_KEY"'&ip='"$IP"'&package=WS4')" CITY="$(echo $RESULT | jq -r .city_name)" REGION="$(echo $RESULT | jq -r .region_name)" COUNTRY="$(echo $RESULT | jq -r .country_name)" LOCATION="$(echo $CITY, $REGION, $COUNTRY | sed 's/^[, ]\+//g')" ISP="$(echo $RESULT | jq -r .isp)" HOSTNAME=$(hostname -f) NOW=$(date +"%e %b %Y, %a %r (UTC %Z)") # Slack notification wget -q -O /dev/null --no-check-certificate --header 'Content-Type: application/json' --post-data '{"username":"'"$HOSTNAME"'", "icon_url":"https://i.imgur.com/X2W00e2.png", "channel":"#general", "attachments":[{"title":"SSH Notification", "color":"#FDAE02", "mrkdwn_in": ["text"], "text": "*IP Address*: '"$IP"'\n*Location:* '"$LOCATION"'\n*ISP:* '"$ISP"'\n*Date:* '"$NOW"'"}]}' $SLACK_WEBHOOK # Email notification echo "SSH login from $LOCATION ($IP)." | mail -s "SSH Login Notification" "$EMAIL" fi Conclusion: SSH Login Notifications with IP Geolocation IP geolocation is useful to detect where your users are logging in from. If you see any locations that are in unexpected regions, you should be alert and perform a security audit of your system. A data breach is a very serious issue these days so it pays to be extra vigilant with your monitoring.

How to Set Up SSH Login Notifications with IP geolocation

Too Long; Didn't Read

Company Mentioned

@ip2location

RELATED STORIES