PAM 模块pam_exec ,用于运行外部命令
- PAM 项作为环境变量导出:* PAM_RHOST , PAM_RUSER , PAM_SERVICE , PAM_TTY , PAM_USER 和 PAM_TYPE *,其中包含以下模块类型之一:
account,auth,password,open_session和close_session
监控服务器ECS登录用户及IP,触发登录后,发送至钉钉
创建钉钉组,并创建自定义机器人,并设置关键字为SSH登录(也可以设置IP白名单)
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-C9MWBPKg-1669082561369)(/Users/hanwang/Library/Application Support/typora-user-images/image-20221122100201346.png)]](https://img-blog.csdnimg.cn/aba93e4dc4cc465790afff1c7bbb613c.png)
https://oapi.dingtalk.com/robot/send?access_token=xxxxxxxx
编写SSH登录触发发送钉钉脚本
-
写法1:/opt/ssh-login-notify/ssh-login-notify.sh
#!/bin/bash function sendDingDing() { curl -s https://oapi.dingtalk.com/robot/send?access_token="$Ding_Webhook_Token" \ -H 'Content-Type: application/json' \ -d '{"msgtype": "markdown","markdown": {"title": "综合数据备份","text": "'"$*"'"},"at": {"isAtAll": true}}' 2>&1 > /dev/null } DingDing_WebHook_URL=https://oapi.dingtalk.com/robot/send?access_token="******" if [ "${PAM_TYPE}" = "open_session" ]; then curl -s "$DingDing_WebHook_URL" \ -H 'Content-Type: application/json' \ -d '{"msgtype": "markdown","markdown": {"title": "SSH登录","text": " '${PAM_USER}' 用户登录了服务器: '$(hostname)' 来源IP为:'${PAM_RHOST}' "},"at": {"isAtAll": true}}' fi -
写法2:/opt/ssh-login-notify/ssh-login-notify.sh
#!/bin/bash function sendDingDing() { curl -s https://oapi.dingtalk.com/robot/send?access_token="$DingDing_WebHook_URL" \ -H 'Content-Type: application/json' \ -d '{"msgtype": "markdown","markdown": {"title": "SSH登录","text": "'"$*"'"},"at": {"isAtAll": true}}' 2>&1 > /dev/null } DingDing_WebHook_URL=https://oapi.dingtalk.com/robot/send?access_token="******" if [ "${PAM_TYPE}" = "open_session" ]; then sendDingDing "${PAM_USER}用户 登录了服务器: $(hostname) 来源IP为:${PAM_RHOST}" fi -
添加可执行权限
chmod +x /opt/ssh-login-notify/ssh-login-notify.sh
编写sshd文件
- /etc/pam.d/sshd
session optional pam_exec.so /opt/ntfy-ssh-login/ssh-login-notify.sh
效果
