Logging SSH logins to Slack

I’m using Slack to alert and log a few things in my environment, and one of the things I use it for is to alert me if someone logs on via SSH to my public facing Jumphost.

For a good walkthrough on how to set up such a host, check out Tunnel all your remote connections through ssh with a linux jumpbox by Luca Dell’Oca.

My Ubuntu 16.04 Jumphost is set up to only accept Key-Based Authentication, to secure it as much as possible, but I would still like to get instant notification if someone logs into it interactively.

How to set up SSH login notification to Slack.

  1. screenshot-2016-10-06-13-04-51First of all, we need  an Incoming WebHook in Slack in order to receive the notifications.
    You configure those from the Apps & Integration menu item. This in turn opens up the Slack App Directory, find Build on the top right and then choose Make a Custom Integration.
  2. screenshot-2016-10-06-13-08-09One your are in the Build a Custom Integration section, find (or search) Incoming WebHooks and select that.
  3. Next up, define which Slack channel should be the integration point, and click on Add Incoming WebHooks integration.
  4. Copy the Webhook URL presented on the next screen
    Note: keep this one a secret, anyone with access to this URL will be able to post to your Slack channel.
  5. On my Ubuntu 16.04 Linux jumphost I’ve created a small bash script called /etc/ssh/notify.sh. This script utilizes curl  and the WebHook URL to post information directly to Slack. The script looks like this:notify.sh
    [cc lang=”bash” escaped=”true”]
    content=”\”attachments\”: [ { \”mrkdwn_in\”: [\”text\”, \”fallback\”], \”fallback\”: \”SSH login: $USER connected to \`$host\`\”, \”text\”: \”SSH login to \`$host\`\”, \”fields\”: [ { \”title\”: \”User\”, \”value\”: \”$USER\”, \”short\”: true }, { \”title\”: \”IP Address\”, \”value\”: \”$SSH_CLIENT\”, \”short\”: true } ], \”color\”: \”#F35A00\” } ]”
    curl -s -X POST –data-urlencode “payload={\”channel\”: \”$channel\”, \”mrkdwn\”: true, \”username\”: \”ssh-bot\”, $content, \”icon_emoji\”: \”:computer:\”}” $url
    [/cc]Replace the  the WebHook URL with your own from step 4 and which channel to post to and you should be ready to go.  This script logs the username and the IP address the connection comes from, and then posts it to the Slack WebHook with the help of curl.Note: I’ve chosen to include the WebHook name etc in the script itself, instead of via the WebHook definition on Slack, mostly since I don’t want to create a WebHook for all hosts I want logging from. With this setup, I can just change the username part of the curl command. It already logs the hostname, so this is pretty much superficial, but hey, that’s how I made it.
  6. chmod +x /etc/ssh/notify.sh to make it executable, and test it. If everything works as expected, you should see an immediate log entry in your chosen Slack channel.
  7. On order to make this script runs every time someone logs into the Jumphost, I added a ForceCommand to the end of my /etc/ssh/sshd_config file, like this:[cc lang=”bash” escaped=”true”]
    ForceCommand /etc/ssh/notify.sh

And that’s it. A login via SSH on the Jumphost now looks like this in my Slack channel:


How awesome is that? Of course, this just scratches the surface of what is possible with Slack’s Incoming WebHooks, I’m using a similar approach for logging new devices discovered in phpmyipam but that’s for another post.


  1. Hi Christian , you did a great job . I want to set up the SSH login notification to Slack but I was little bit confused how to do this but now I completely understood how to do it thanks .please publish more article like this.

  2. One thought, A downside of using the ForceCommand is having your script kick off a shell that may or may not match whatever they might have in /etc/passwd.
    You could instead drop that line from /etc/ssh/sshd_config. Then remove /bin/bash from the bottom of your script, and rename it /etc/ssh/sshrc which is run each time someone logs in via ssh.

  3. Looks good, works neat.
    One suggestion – put your script in /etc/ssh/sshrc after you remove /bin/bash from the end of it.
    That’s instead of using the ForceCommand option in /etc/ssh/sshd_config. (the ForceCommand script trick may give someone a different shell from what their user is defined to use, if it’s not bash)

Leave a Reply