1

I would like to be notified if there is ever a successful SSH login into the machine that I accept external connections on via NTFY. Since I frequently login this machine locally (192.168.1.0/24), I'd like to avoid notifications when the connection is from that range.

I am following the example listed here: https://docs.ntfy.sh/examples/#ssh-login-alerts

The notifications work correctly but I am trying to modify my script to exclude 192.168.*, my bash is awful and I have been banging my head against this for hours.

I have modified the ntfy-ssh-login.sh to this:

#!/bin/bash
if [ "${PAM_TYPE}" = "open_session" ]; then
        if [ "${PAM_RHOST}" != 192.168.* ]; then
          curl \
            -H prio:high \
            -H tags:warning \
            -d "SSH login: ${PAM_USER} from ${PAM_RHOST}" \
            http://192.168.1.137:8777/alerts
        fi
fi

which I expect will not send the alert to NTFY if PAM_RHOST starts with 192.168. However, it always sends the alert. I know the value of PAM_RHOST starts with that value because its included in the alert:

30/08/2023, 22:12 Priority 4

⚠️ SSH login: --redacted-- from 192.168.1.11

That 192.168.1.11 is set by ${PAM_RHOST}.

I am sure I am doing something silly.

Improve this question
4
  • Why? If your machine is accessible on the internet, you will get alerts all the time - automated attacks never stop, and there's new wanna-be script-kiddies pretending to be "badass hax0rs, just like on TV" (usually with kali) all the time. The constant alerts will drive you crazy. Just use fail2ban or similar to block repeated failed attempts. Or, if you never need to connect from public IP addresses, just block all ssh connections from outside. Or allow ssh only from certain subnets, or set up port knocking to temporarily open access to an IP. Commented Aug 31, 2023 at 4:30
  • Although I lock my front door I also set my house alarm at night. I also use fail2ban and logged over 100,000 separate "bans" over the last six months from 12,000 different 'hosts'. I also run NAT with a different external port than 22. SSH is the last remaining publicly accessible port. I need that open so I'd like to be able to be alerted if someone externally successfully logs in because I do it so rarely that it is notable. Commented Aug 31, 2023 at 13:00
  • 1
    If you want 192.168.* to be treated as a pattern, I believe you would need to use [[ for your if test as [ does not seem to support string patterns: if [[ "${PAM_RHOST}" != 192.168.* ]]; Commented Sep 1, 2023 at 21:16
  • Thank you @GracefulRestart. That solved the issue and now I am only being alerted from non-local logins. I appreciate it. Commented Sep 4, 2023 at 18:05

1 Answer 1

Reset to default
1

Making my comment into something of an answer.

The [ test does not treat the * character as a wildcard/pattern, so the ${PAM_RHOST} would never match and your then expression is always evaluated.

Since you are using /bin/bash, you have the [[ test available which will handle a comparison with * as a pattern:

if [[ "${PAM_RHOST}" != 192.168.* ]];

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.