Instant SSH Login Alerts on Ubuntu
If you manage one or more Ubuntu servers, you probably use SSH every day. It is the standard way to access Linux systems remotely, but it also represents one of the most common attack vectors exposed to the Internet.
I wanted a simple way to know exactly when someone connected to one of my servers. I also wanted to receive an alert when someone repeatedly failed to authenticate or started a brute-force attack.

Instead of installing a large monitoring platform or additional security software, I built a lightweight Bash script that watches the SSH authentication log in real time and sends Telegram notifications whenever an important event occurs.
In this article, I’ll show you how it works and why I added it to every Ubuntu server I manage.
Why I Needed SSH Login Alerts
Ubuntu records every SSH authentication event in /var/log/auth.log, which is great for troubleshooting and auditing.
The problem is that log files are passive. They only become useful after you open them.
If someone successfully logs in at 2 AM, I won’t know until I manually inspect the logs. The same applies to repeated failed login attempts or automated brute-force attacks.
I wanted immediate visibility into SSH activity without constantly checking log files.
My goals were simple:
- Receive an instant notification after every successful SSH login.
- Detect repeated failed authentication attempts.
- Identify brute-force attacks before they become a larger problem.
- Keep the solution lightweight and easy to deploy.
Prerequisites
Before creating the monitoring script, I already had a reusable telegram_notify function that sends messages directly to my Telegram channel.
Calling it is straightforward:
telegram_notify "Message"
I use the same function in several automation scripts, including:
- Backup notifications
- Disk usage alerts
- Internet connectivity monitoring
- Raspberry Pi health checks
- Server automation tasks
Reusing this function made the SSH alert script extremely simple.
How the Script Works
The script continuously watches Ubuntu’s authentication log:
/var/log/auth.log
using:
tail -Fn0 /var/log/auth.log
The -F option automatically follows the file after log rotation, so the script continues running without any manual intervention.
Every new log entry gets processed immediately.
Detecting Successful SSH Logins
The first task is detecting successful SSH authentication.
The script recognizes both supported authentication methods:
- Password authentication
- Public key authentication
Whenever it finds a successful login, it extracts:
- Username
- Source IP address
- Server hostname
- Login time
It then sends an instant Telegram notification.
Example:
???? SSH LOGIN DETECTED
Host: web01
User: root
IP: x.x.x.x
Time: Tue Jul 1 18:42:16 UTC 2026
With this information, I always know who connected, where they connected from, and when the login happened.
Detecting Failed SSH Login Attempts
Not every failed login indicates an attack.
Users occasionally mistype their passwords or use the wrong SSH key.
However, multiple failed attempts from the same IP address within a short period usually deserve attention.
The script stores timestamps for every failed login and keeps only entries that fall inside a configurable time window.
By default, it uses:
- Time window: 5 minutes
- Warning threshold: 2 failed attempts
Once the threshold is reached, the script sends a warning notification.
Example:
⚠️ SSH FAILED LOGIN ATTEMPTS
Host: web01
IP: x.x.x.x
Failed attempts: 2
Time window: 300s
This gives me an early warning before an attack escalates.
Detecting SSH Brute-Force Attacks
The script also detects brute-force attacks.
If the same IP address reaches ten failed login attempts within five minutes, the script sends a high-priority Telegram alert.
Example:
???? SSH BRUTE-FORCE DETECTED
Host: web01
IP: x.x.x.x
Failed attempts: 10
Time window: 300s
Receiving this notification immediately allows me to investigate the source IP, update firewall rules, or block malicious traffic if necessary.
Preventing Duplicate Notifications
A monitoring script should provide useful information without flooding your notification channel.
To avoid duplicate messages, the script stores temporary state files inside:
/tmp/ssh_notify
These files keep track of:
- Successful login notifications that have already been sent
- Warning notifications for failed login attempts
- Brute-force alerts for specific IP addresses
As a result, the script reports each event only once while the condition remains active.
Preventing Multiple Script Instances
Running multiple copies of the script would generate duplicate notifications.
To prevent this, I use a simple file lock with flock:
exec 200>/opt/scripts/ssh-auth-notify.lock
flock -n 200 || exit 1
If another instance already runs, the new process exits immediately.
Why I Like This Approach
I like this solution because it stays simple while solving a real problem.
The script:
- Runs continuously with minimal CPU and memory usage.
- Survives log rotation automatically.
- Doesn’t require additional monitoring software.
- Doesn’t depend on external agents.
- Sends instant Telegram notifications.
- Detects successful SSH logins.
- Detects repeated failed authentication attempts.
- Detects brute-force attacks.
- Takes only a few minutes to deploy on a new Ubuntu server.
Conclusion
This small Bash script gives me immediate visibility into SSH activity across all of my Ubuntu servers.
Instead of discovering login events hours or days later, I receive Telegram notifications as soon as they happen. I can quickly verify legitimate logins, investigate suspicious authentication attempts, and respond to brute-force attacks before they become a larger security issue.
If you already use Telegram for server notifications, adding SSH login alerts makes perfect sense. The solution requires only a few lines of Bash, uses native Ubuntu log files, consumes almost no system resources, and significantly improves the security visibility of your Linux servers.










