• Contact
  • About Me
  • Privacy Policy
  • Disclaimer
DefenceDev
  • Home
  • Blog
  • Linux Tutorials
    • Bash Scripting Lessons
    • Commands
    • Networking
    • Bash Scripts
  • Solutions
    • Docker
  • Network Tutorials
    • FortiGate
    • MikroTik
  • Projects
    • AdGuard
    • Immich
    • Nextcloud
    • WordPress
  • Cloud
  • Video Tutorials
    • YouTube Channel
    • MikroTik Videos
  • Web Tools
No Result
View All Result
  • Home
  • Blog
  • Linux Tutorials
    • Bash Scripting Lessons
    • Commands
    • Networking
    • Bash Scripts
  • Solutions
    • Docker
  • Network Tutorials
    • FortiGate
    • MikroTik
  • Projects
    • AdGuard
    • Immich
    • Nextcloud
    • WordPress
  • Cloud
  • Video Tutorials
    • YouTube Channel
    • MikroTik Videos
  • Web Tools
No Result
View All Result
DefenceDev
No Result
View All Result
Home Linux Tutorials

Get Instant SSH Login Alerts on Ubuntu with Bash and Telegram

by neo
July 1, 2026
in Linux Tutorials
0
Get Instant SSH Login Alerts on Ubuntu with Bash and Telegram

Get Instant SSH Login Alerts on Ubuntu with Bash and Telegram

0
SHARES
2
VIEWS
Share on FacebookShare on LinkedIn
Table of Contents
  • Instant SSH Login Alerts on Ubuntu
    • Why I Needed SSH Login Alerts
    • Prerequisites
    • How the Script Works
  • Preventing Multiple Script Instances
  • Why I Like This Approach
  • Conclusion

Instant SSH Login Alerts on Ubuntu

If you manage one or more Ubuntu servers, you probably use SSH every day. It is the standard way to access Linux systems remotely, but it also represents one of the most common attack vectors exposed to the Internet.

I wanted a simple way to know exactly when someone connected to one of my servers. I also wanted to receive an alert when someone repeatedly failed to authenticate or started a brute-force attack.

Example of a Telegram Notification
Example of a Telegram Notification

Instead of installing a large monitoring platform or additional security software, I built a lightweight Bash script that watches the SSH authentication log in real time and sends Telegram notifications whenever an important event occurs.

In this article, I’ll show you how it works and why I added it to every Ubuntu server I manage.

Why I Needed SSH Login Alerts

Ubuntu records every SSH authentication event in /var/log/auth.log, which is great for troubleshooting and auditing.

The problem is that log files are passive. They only become useful after you open them.

If someone successfully logs in at 2 AM, I won’t know until I manually inspect the logs. The same applies to repeated failed login attempts or automated brute-force attacks.

I wanted immediate visibility into SSH activity without constantly checking log files.

My goals were simple:

  • Receive an instant notification after every successful SSH login.
  • Detect repeated failed authentication attempts.
  • Identify brute-force attacks before they become a larger problem.
  • Keep the solution lightweight and easy to deploy.

Prerequisites

Before creating the monitoring script, I already had a reusable telegram_notify function that sends messages directly to my Telegram channel.

Calling it is straightforward:

telegram_notify "Message"

I use the same function in several automation scripts, including:

  • Backup notifications
  • Disk usage alerts
  • Internet connectivity monitoring
  • Raspberry Pi health checks
  • Server automation tasks

Reusing this function made the SSH alert script extremely simple.

How the Script Works

The script continuously watches Ubuntu’s authentication log:

/var/log/auth.log

using:

tail -Fn0 /var/log/auth.log

The -F option automatically follows the file after log rotation, so the script continues running without any manual intervention.

Every new log entry gets processed immediately.

Detecting Successful SSH Logins

The first task is detecting successful SSH authentication.

The script recognizes both supported authentication methods:

  • Password authentication
  • Public key authentication

Whenever it finds a successful login, it extracts:

  • Username
  • Source IP address
  • Server hostname
  • Login time

It then sends an instant Telegram notification.

Example:

???? SSH LOGIN DETECTED

Host: web01
User: root
IP: x.x.x.x
Time: Tue Jul 1 18:42:16 UTC 2026

With this information, I always know who connected, where they connected from, and when the login happened.

Detecting Failed SSH Login Attempts

Not every failed login indicates an attack.

Users occasionally mistype their passwords or use the wrong SSH key.

However, multiple failed attempts from the same IP address within a short period usually deserve attention.

The script stores timestamps for every failed login and keeps only entries that fall inside a configurable time window.

By default, it uses:

  • Time window: 5 minutes
  • Warning threshold: 2 failed attempts

Once the threshold is reached, the script sends a warning notification.

Example:

⚠️ SSH FAILED LOGIN ATTEMPTS

Host: web01
IP: x.x.x.x
Failed attempts: 2
Time window: 300s

This gives me an early warning before an attack escalates.

Detecting SSH Brute-Force Attacks

The script also detects brute-force attacks.

If the same IP address reaches ten failed login attempts within five minutes, the script sends a high-priority Telegram alert.

Example:

???? SSH BRUTE-FORCE DETECTED

Host: web01
IP: x.x.x.x
Failed attempts: 10
Time window: 300s

Receiving this notification immediately allows me to investigate the source IP, update firewall rules, or block malicious traffic if necessary.

Preventing Duplicate Notifications

A monitoring script should provide useful information without flooding your notification channel.

To avoid duplicate messages, the script stores temporary state files inside:

/tmp/ssh_notify

These files keep track of:

  • Successful login notifications that have already been sent
  • Warning notifications for failed login attempts
  • Brute-force alerts for specific IP addresses

As a result, the script reports each event only once while the condition remains active.

Preventing Multiple Script Instances

Running multiple copies of the script would generate duplicate notifications.

To prevent this, I use a simple file lock with flock:

exec 200>/opt/scripts/ssh-auth-notify.lock
flock -n 200 || exit 1

If another instance already runs, the new process exits immediately.

Why I Like This Approach

I like this solution because it stays simple while solving a real problem.

The script:

  • Runs continuously with minimal CPU and memory usage.
  • Survives log rotation automatically.
  • Doesn’t require additional monitoring software.
  • Doesn’t depend on external agents.
  • Sends instant Telegram notifications.
  • Detects successful SSH logins.
  • Detects repeated failed authentication attempts.
  • Detects brute-force attacks.
  • Takes only a few minutes to deploy on a new Ubuntu server.

Conclusion

This small Bash script gives me immediate visibility into SSH activity across all of my Ubuntu servers.

Instead of discovering login events hours or days later, I receive Telegram notifications as soon as they happen. I can quickly verify legitimate logins, investigate suspicious authentication attempts, and respond to brute-force attacks before they become a larger security issue.

If you already use Telegram for server notifications, adding SSH login alerts makes perfect sense. The solution requires only a few lines of Bash, uses native Ubuntu log files, consumes almost no system resources, and significantly improves the security visibility of your Linux servers.

Tags: linux
Previous Post

Terminal Colors in Bash: How and When to Use Them

neo

Related Posts

Terminal Colors in Bash: How and When to Use Them
Linux Tutorials

Terminal Colors in Bash: How and When to Use Them

10+ Useful Linux find Command Examples You Should Know
Commands

10+ Useful Linux find Command Examples You Should Know

Server Reboot with Ansible
Linux Tutorials

Automating Linux Server Reboot with Ansible

GitHub: How to Add a Script or a Folder to Your Repository
Linux Tutorials

GitHub: How to Add a Script or a Folder to Your Repository

My Ultimate Linux/Ubuntu Commands Cheat Sheet (2025)
Linux Tutorials

My Ultimate Linux/Ubuntu Commands Cheat Sheet (2025)

Linux Networking: Display Open Ports and Listening Services
Networking

Linux Networking: Display Open Ports and Listening Services

Leave a Reply

Your email address will not be published. Required fields are marked *

Are you human? Please solve:Captcha


Recommended

Linux Performance Monitoring with Monit Application

Linux Performance Monitoring with Monit Application

Fortinet FortiGate Firmware Upgrade

Fortinet FortiGate Firmware Upgrade

Get Instant SSH Login Alerts on Ubuntu with Bash and Telegram

Get Instant SSH Login Alerts on Ubuntu with Bash and Telegram

Terminal Colors in Bash: How and When to Use Them

Terminal Colors in Bash: How and When to Use Them

Solution: Ubuntu Internet Connection Monitoring Script (Create a Log File, Possible to Send per Email)

Ubuntu Internet Connection Monitoring Script: Log Creation and Email Alerts

Categories

  • Blog
  • Cloud
    • Private
  • Linux Tutorials
    • Bash Scripting Tutorials
    • Commands
    • Networking
  • Network Tutorials
    • FortiGate
    • MikroTik
  • Projects
    • AdGuard
    • Immich
    • Nextcloud
    • WordPress
  • Solutions
    • Docker
  • Video Tutorials
    • MikroTik Videos
  • Web Tools

DefenceDev Tutorials

defencedev Logo

Whether you’re just starting or looking to expand your skills, I hope you find useful information and engaging discussions here. Let me take you through my journey and the goals behind this space!

Follow Us

Recent News

Get Instant SSH Login Alerts on Ubuntu with Bash and Telegram

Get Instant SSH Login Alerts on Ubuntu with Bash and Telegram

Terminal Colors in Bash: How and When to Use Them

Terminal Colors in Bash: How and When to Use Them

  • Site Map
  • Privacy Policy
  • Facebook Page
  • GitHub
  • Disclaimer
  • Contact
  • About Me

© 2025 defencedev.com - All rights reserved.

No Result
View All Result
  • Home
  • Blog
  • Linux Tutorials
    • Bash Scripting Lessons
    • Commands
    • Networking
    • Bash Scripts
  • Solutions
    • Docker
  • Network Tutorials
    • FortiGate
    • MikroTik
  • Projects
    • AdGuard
    • Immich
    • Nextcloud
    • WordPress
  • Cloud
  • Video Tutorials
    • YouTube Channel
    • MikroTik Videos
  • Web Tools

© 2025 defencedev.com - All rights reserved.