login alerts

2026-03-10 04:41:10 +00:00 · 2025-01-07 02:52:19 +03:00 · 2025-01-07 02:52:19 +03:00 · 0e177210f6
commit 0e177210f6
parent 3eb358d618
10 changed files with 85 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -13,8 +13,17 @@ DISCLAIMER: This repository does not have anything to do with the LEGO Group. "l
 * Copy `config.example.json` to `config.json`, edit as necessary
 * Run `alerting/login.py` once to login into Matrix

+### Setting up login alerts
+
+* Copy `lego-login-alert` to your `/etc/sudoers.d`
+* Add this to your `/etc/ssh/sshd_config`:
+```
+# login alerts
+ForceCommand /opt/lego-monitoring/wrappers/login_wrapper.sh
+```
+
 ## Running

 * `prettyprint.py` -- check and print all sensors
 * `service.py` -- launch service
-* `lego-monitoring.service` is a systemd unit that starts `service.py`
+* `assets/lego-monitoring.service` is a systemd unit that starts `service.py`
--- a/alerting/alerts.py
+++ b/alerting/alerts.py
@ -1,13 +1,10 @@
-import json
 from dataclasses import dataclass
 from typing import Optional

-import aiofiles
 import nio

 from alerting.enum import AlertType, Severity
 from misc import cvars
-from misc.common import CONFIG_FILE
 from misc.config import get_config


--- a/alerting/enum.py
+++ b/alerting/enum.py
@ -8,7 +8,7 @@ class AlertType(StrEnum):
    CPU = "CPU"
    TEMP = "TEMP"
    VULN = "VULN"
-    LOGIN = "LOGIN"  # TODO
+    LOGIN = "LOGIN"
    SMART = "SMART"  # TODO
    RAID = "RAID"
    DISKS = "DISKS"
--- a/assets/lego-login-alert
+++ b/assets/lego-login-alert
@ -0,0 +1,2 @@
+Defaults env_keep += "SSH_CLIENT"
+ALL ALL=(ALL:ALL) NOPASSWD: /opt/lego-monitoring/wrappers/send_login_alert.sh
--- a/assets/lego-monitoring.service
+++ b/assets/lego-monitoring.service
--- a/config.example.json
+++ b/config.example.json
@ -22,6 +22,9 @@
                    "severity": "CRITICAL"
                }
            ]
+        },
+        "login": {
+            "hostname": "example.com"
        }
    }
 }
--- a/misc/config.py
+++ b/misc/config.py
@ -38,11 +38,17 @@ class CheckWearoutConfig(NestedDeserializableDataclass):
    disks: list[CheckWearoutDiskConfig]


+@dataclass
+class CheckLoginConfig:
+    hostname: str
+
+
@dataclass
 class ChecksConfig(NestedDeserializableDataclass):
    docker_registry: CheckDockerRegistryConfig
    raid: CheckRaidConfig
    wearout: CheckWearoutConfig
+    login: CheckLoginConfig


@dataclass
--- a/send_login_alert.py
+++ b/send_login_alert.py
@ -0,0 +1,47 @@
+import asyncio
+import os
+import socket
+import sys
+
+from alerting import alerts
+from alerting.enum import AlertType, Severity
+from misc.config import get_config
+
+
+async def main():
+    check_config = get_config().checks.login
+
+    try:
+        from_where = os.environ["SSH_CLIENT"].split()[0]
+    except:
+        from_where = os.ttyname(sys.stdout.fileno())
+        is_local = True
+    else:
+        is_local = False
+
+    try:
+        actual_user = os.environ["SUDO_USER"]
+    except Exception as exc:
+        await alerts.send_alert(
+            alerts.Alert(
+                alert_type=AlertType.ERROR,
+                message=f"Failed to determine username for login from {from_where}, see logs",
+                severity=Severity.CRITICAL,
+            )
+        )
+        return
+
+    if not is_local:
+        rdns_result = socket.getnameinfo((from_where, 0), 0)[0]
+        message = f"Login from {from_where} as {actual_user} on `{check_config.hostname}`"
+        html_message = f"Login from <code>{from_where}</code> ({rdns_result}) as {actual_user} on <code>{check_config.hostname}</code>"
+    else:
+        message = f"Login from {from_where} as {actual_user} on {check_config.hostname}"
+        html_message = f"Login from {from_where} as {actual_user} on <code>{check_config.hostname}</code>"
+
+    alert = alerts.Alert(alert_type=AlertType.LOGIN, message=message, severity=Severity.INFO, html_message=html_message)
+    await alerts.send_alert(alert)
+
+
+if __name__ == "__main__":
+    asyncio.run(main())
--- a/wrappers/login_wrapper.sh
+++ b/wrappers/login_wrapper.sh
@ -0,0 +1,12 @@
+#!/bin/bash
+
+mydir=$(dirname "$0")
+sudo "$mydir/send_login_alert.sh"
+
+shell=$(getent passwd $LOGNAME | cut -d: -f7)
+if [[ -n $SSH_ORIGINAL_COMMAND ]] # command given, so run it
+then
+    exec "$shell" -c "$SSH_ORIGINAL_COMMAND"
+else # no command, so interactive login shell
+    exec "$shell" -il
+fi
--- a/wrappers/send_login_alert.sh
+++ b/wrappers/send_login_alert.sh
@ -0,0 +1,4 @@
+#!/bin/bash
+
+mydir=$(dirname "$0")
+"$mydir/../.venv/bin/python" "$mydir/../send_login_alert.py"