The Tallest Dwarf
OpenWrt login alert
I wanted to receive alert when logged into my OpenWrt router via SSH and this what I did.
Replace Dropbear with OpenSSH-server
OpenWrt uses lightweight Dropbear as SSH server by default but it needs to be compiled with PAM support to add alerts. Instead I'm replacing Dropbear with OpenSSH server.
I followed the official Replacing Dropbear by openssh-server wiki except the following changes.
- Instead of openssh-server, I installed openssh-server-pam package.
- Copied
authorized_keysfrom/etc/dropbearto~/.ssh/. - Made the following changes to
/etc/ssh/sshd_config:PremitRootLogin yes PubkeyAuthentication yes UsePAM yes
Install MQTT client
Installed mosquitto-client-nossl for sending alerts.
Create login-notify
I created the login-notify script in /etc/ssh/ and made it executable.
#!/bin/sh
if [ "$PAM_TYPE" != "close_session" ]; then
message="{\"summary\":\"SSH Login\",\"body\":\"$PAM_USER from $PAM_RHOST on OpenWrt\"}"
mosquitto_pub -h 192.168.1.10 -m "$message" -t house/smartwatch
fi
If you prefer email to MQTT, Then you can use this script instead..
Triggering login-notify on SSH login
Added the following to /etc/pam.d/sshd to trigger the login-notify script during SSH login via Linux Pluggable Authentication Module.
session optional pam_exec.so seteuid /etc/ssh/login-notify
Whitelist login-notify to survive upgrades
I added /etc/ssh/login-notify under System -> Backup / Flash Firmware -> Configuration in LuCI to prevent it being removed during OpenWrt upgrades.
Receiving the MQTT Message
I have setup a smart clock to receive the MQTT message.
Did I add value?
Out of respect for your attention and concern for your privacy I don't have advertisements or any tracking cookie.
Let's have an obligation free discussion on this content or other common interests over email while supporting The Tallest Dwarf to continue writing.
If you cannot make a monetary support, I understand; Please like and share this content in the platform of your choice to defeat their conformist algorithms.