Triggering a Webhook on SSH Login

This guide outlines how to configure a Linux server to trigger a Host Alerts webhook when a user logs in via SSH. This is useful for security alerts, or automating tasks upon login.

Prerequisites:

• Linux System: This guide assumes a Linux-based system (e.g., Ubuntu).
• Basic Shell Scripting Knowledge: Familiarity with shell scripting is necessary.
• Root or sudo access: You'll need elevated privileges to modify system files.

Installation

Step 1: Edit the PAM Authentication File

Modify the PAM (Pluggable Authentication Module) SSH session file to call a script when a user logs in.

Run this command to edit the PAM configuration for SSH:

sudo nano /etc/pam.d/sshd

Add this line at the end:

session    optional     pam_exec.so /opt/ssh-webhook.sh

Step 2: Create the Webhook Script

Create a script at /opt/ssh-webhook.sh that will send a request to your webhook URL.

WARNING

Replace your-host-code with the host code from Host Alerts app.

#!/bin/bash

# Webhook settings
WEBHOOK_URL="https://justshare.me/trigger/alert"
CODE="your-host-code"

# Extract username and IP
USER_NAME="$PAM_USER"
USER_IP="$PAM_RHOST"

# Send the request
curl -G --data-urlencode "code=$CODE" --data-urlencode "user=$USER_NAME" --data-urlencode "ip=$USER_IP" "$WEBHOOK_URL"

Step 3: Make the Script Executable

Run:

sudo chmod +x /opt/ssh-webhook.sh

Step 4: Restart SSH Service

To apply the changes, restart SSH:

sudo systemctl restart sshd

How It Works

• Every time someone logs into SSH, PAM will execute the script.
• The script extracts the username ($PAM_USER) and IP address ($PAM_RHOST).
• It then makes a GET request to your webhook with the required parameters.

WARNING

The webhook triggers on every SSH login and logout.