Setting up SSH Alerts to iPhone

This is sort of a follow up to my SSH screencast series for remote access to your Mac.  Maybe you are paranoid like me and want to know when a connection has been made to your mac, when a wrong user name has been tried or even a failure to login on a good username.  You also want to know this no matter where you are.

I was inspired by the script written by Whitson Gordon, over at Macworld on automating turning off your wireless Airport interface.  Note what I have below has only been tested on my Snow Leopard setup.  I leave it up to you if you are on Leopard or even Tiger.  BTW update your system if you are as far back as Tiger. C’mon join the modern world.

You will have to have Growl installed, also install growlnotify and last you need a Growl to push notification service like Prowl.  Then have the Prowl app on your iPhone or iPad.

Read on for the scripts and how to get it all working.

You will want to make the following script called AlertSSH.sh, place it in /Library/Scripts and set it to 755 permissions using chmod.  You can follow Whitson’s step by step on that just replacing his script for ours below.

#!/bin/bash
function growl {
# check if Growl is installed
if [ -f “/usr/local/bin/growlnotify” ]; then
/usr/local/bin/growlnotify -n “AlertSSH” -m “$1”
fi
}
logmsg=$(tail -n 1 /var/log/secure.log)
detectAccept=$(echo $logmsg | grep Accepted)
detectFail=$(echo $logmsg | grep “Failed to authenticate”)
detectInvalid=$(echo $logmsg | grep “Invalid user”)
if [ ! -z “$detectAccept” ] || [ ! -z “$detectInvalid” ] || [ ! -z “$detectFail” ]
then
growl “$logmsg”
fi
sleep 1
exit 0

Now you need to make a text file called com.AlertSSH.plist using the following contents.  Again you can follow the exact steps from Whitson’s article (yeah I am pimping it since I borrowed what he did).

<?xml version=”1.0″ encoding=”UTF-8″?>

<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>

<plist version=”1.0″>

<dict>

<key>Label</key>

<string>com.monitor.alertssh</string>

<key>OnDemand</key>

<true/>

<key>ProgramArguments</key>

<array>

<string>/Library/Scripts/AlertSSH.sh</string>

</array>

<key>WatchPaths</key>

<array>

<string>/var/log/secure.log</string>

</array>

</dict>

</plist>

We are telling the system to watch for changes to /var/log/secure.log which is where our SSH events go by default.  When there is a change it fires off our AlertSSH.sh script which parses and looks for the desired events then growls them if there is a match.  You obviously could parse any log or other file and alert on it this way.

Now I did restart to get alerts working.  I was too lazy to look up manually restarting the launch agent system.

Make sure to change the default alert for AlertSSH in your Growl preferences to use Prowl. Now when you ssh into your machine or someone else tries and fails you will get alerted right on your iPad or iPhone via Push Notifications.

Here is a screen shot of an invalid user name attempt received on my iPad.  Enjoy!

SSH Growl Push Notification
Invalid User Alert
Share
  • I really appreciate this posting.  I tweaked the script a little to make use of Growl 1.3.2 and the notification history in Lion.  Here’s how mine looks:

    #!/bin/bashfunction growl {# check if Growl is installedif [ -f “/usr/local/bin/growlnotify” ]; then/usr/local/bin/growlnotify -p 1 -d “AlertSSH” -w -n “AlertSSH” -t “$1” -m “$2″fi}logmsg=$(tail -n 1 /var/log/secure.log)detectAccept=$(echo $logmsg | grep -i accepted)detectFail=$(echo $logmsg | grep -i ‘authentication error’)detectInvalid=$(echo $logmsg | grep -i ‘invalid user’)if [ ! -z “$detectAccept” ]thengrowl “User Login” “$logmsg”elseif [ ! -z “$detectInvalid” ]thengrowl “Invalid user” “$logmsg”elseif [ ! -z “$detectFail” ]thengrowl “Authentication Failure” “$logmsg”fififisleep 1exit 0

  • Awesome! Thanks! I still have not updated to the app store copy. So I’ll need this when I do.