Setup SSH login notification with IP geolocation

Setup SSH login notification with IP geolocation

Server admins commonly use SSH to login to Linux servers. They will disable login via password due to the ease of brute force attacks these days. The recommended practice is to only allow login to the servers using private/public keys. It is also good to setup SSH notification with IP geolocation for better security. Admins will receive real-time notification whenever anyone logs in to the servers.

Getting an immediate notification when someone logs in is beneficial from a security viewpoint. It increases the chance that you can prevent an authorized party from doing real damage in your server. If you see a login for a suspicious region or ISP, you can take remedial action ASAP. A fast response to intrusion will give the bad actor no chance to steal your data.

Pre-requisites to setup SSH notification with IP geolocation

Our script will use the IP2Location.io IP Geolocation API to query geolocation data using the user’s IP address. The Starter plan has data about Country, Region, City and ISP; more than enough for our notification example. That said, you can use a higher API plan if you require more geolocation data.

To use the IP2Location.io API, you will need an API key. If you don’t have one, get it from the below link.

https://www.ip2location.io/pricing

In addition to the API key, you must also install jq and wget in your Linux server. The wget package is required to call the IP2Location.io API while the jq package is required to parse JSON response from the API.

SSH login notification script

To enable the SSH notification script to run upon login, the following code should be copied and pasted into your ~/.bashrc file. Replace IP2LOCATIONIO_API_KEY with the actual IP2Location.io API key. If you want to enable Slack notification, then replace SLACK_WEBHOOK_URL with the actual URL. Otherwise, comment out the Slack specific lines of codes. Lastly, edit NOTIFICATION_EMAIL with the email address that will receive the notification.

API_KEY="IP2LOCATIONIO_API_KEY"
SLACK_WEBHOOK="SLACK_WEBHOOK_URL"
EMAIL="NOTIFICATION_EMAIL"

IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)"

if [ ! -z "$IP" ]; then
	RESULT="$(wget -qO /dev/stdout 'https://api.ip2location.io/?key='"$API_KEY"'&ip='"$IP")"

	CITY="$(echo $RESULT | jq -r .city_name)"
	REGION="$(echo $RESULT | jq -r .region_name)"
	COUNTRY="$(echo $RESULT | jq -r .country_name)"
	ISP="$(echo $RESULT | jq -r .isp)"
	HOSTNAME=$(hostname)
	NOW=$(date +"%e %b %Y, %a %r (UTC %Z)")
        LOCATION="$(echo $CITY, $REGION, $COUNTRY | sed 's/^[, ]\+//g')"

	# Slack notification
	wget -q -O /dev/null --no-check-certificate --header 'Content-Type: application/json' --post-data '{"username":"'"$HOSTNAME"'", "icon_url":"https://i.imgur.com/X2W00e2.png", "channel":"#general", "attachments":[{"title":"SSH Notification", "color":"#FDAE02", "mrkdwn_in": ["text"], "text": "*IP Address*: '"$IP"'\n*Location:* '"$LOCATION"'\n*ISP:* '"$ISP"'\n*Date:* '"$NOW"'"}]}' $SLACK_WEBHOOK
	
	# Email notification
	echo "SSH login from $LOCATION, $ISP ($IP)." | mail -s "SSH Login Notification" "$EMAIL"
fi

Conclusion

IP geolocation is useful to detect where your users are logging in from. If you see any locations that are in unexpected regions, you should be alert and perform a security audit of your system. Data breach is a very serious issue these days so it pays to be extra vigilant with your monitoring.

Was this article helpful?

Related Articles