intro-gotify-notification.png

Gotify as notification service

Intro:

You want to sleep calmly through the night? 😴 For security reasons I wan’t to get notified if something happens on my servers. My way to go is to use gotify instead of using for example the default email/sendmail way. Gotify is a simple, open source, MIT-licensed, docker deployable, push-messaging implementation in golang. It is lightweight, fast, and intuitive. Another great thing is the android app. Also it is free and open source. So you can receive instant gotify messages on android devices as well as on every notebook or desktop computer with a browser like firefox installed on.

Installation

We need a gotify server to use the services.

For the server installation take a quick look at the Installation Guide from the officall site. It is very easy to setup up a gotify server.

I’m using the docker-compose installation method by portrainer. You could also use rancher with an kubernetes cluster.

my docker-compose.yml looks like:

version: "3"

services:
  gotify:
    image: gotify/server
    ports:
      - 8080:80
    environment:
      - GOTIFY_DEFAULTUSER_PASS=SECRET # YOU SHOULD CHANGE THIS
	  - TZ="Europe/Berlin"
    volumes:
      - "./gotify_data:/app/data"

Use docker-compose up -d to start the docker instance.

Alternatively you could use the binary to run the gotify server without docker. Just check out their website.

configuration

In my docker-compose.yml environment variables I have defined the administrator password as SECRET. So the initial login will work with admin:SECRET. Onced login the administrator password should be changed!

When you first login in and change the password you could also create another user MENU –> USERS. It is best practice to not use the admin account or a user with admin privilages.

The next step is to add apps you wan’t to connect with gotify. I’m using a different api-key and api-token for every app. In my example I wan’t to show you an SSH login notification. So I called the app sshnotify.

The simplest way to push messages with gotify under linux is:

$ curl "https://push.example.de/message?token=<apptoken>" -F "title=my title" -F "message=my message" -F "priority=5"
$ http -f POST "https://push.example.de/message?token=<apptoken>" title="my title" message="my message" priority="5"

so you only have to add your apptoken to the URL and change the selfexplaining parameters to your use.

Here is the script for the ssh-login-notification. I got it from: peekread.info check also out his awesome blog!

#!/bin/bash

exec &> /dev/null #Hide output

Gotify_URL='https://gotify.stecher.space'
Gotify_Token='AQ_TZBdcy-U13FG'

notify()
{

        now=$(date -d "-60 seconds" +%s) #Get current time minus 60 seconds
        end=$((SECONDS+30)) #Set 30s Timeout for loop

        while [ $SECONDS -lt $end ]; do

                SSHdate=$(date -d "$(who |grep pts|tail -1 | awk '{print $3, $4}')" +%s) #Check for the latest SSH session

                if [ $SSHdate -ge $now ]; then #Once who is updated continue with sending Notification

                        title="SSH Login for $(/bin/hostname -f)"
                        message="$(/usr/bin/who | tr -s ' ')"

                        /usr/bin/curl -X POST -s \
                                -F "title=${title}" \
                                -F "message=${message}" \
                                -F "priority=5" \
                                "${Gotify_URL}/message?token=${Gotify_Token}"

                        break
                fi
        done

}

notify & #Run in background to prevent holding up the login process

Next step is to set executive privileges chmod +x /usr/local/bin/sshnotif

And lastly edit the following file

user@hostname:~$ vi /etc/pam.d/sshd
session optional pam_exec.so /usr/local/bin/sshnotif

optional because if the script fail you still want to get logged in.

conclusion

I really love how easy gotify could be used to get push-notifications. The possibilties are endless. My next plans are to send automated notifications for:

All this checks could run via cronjob and are fastly and easy written. Even if gotify apptoken gets leaked it cannot be abused to distribute spam and viruses like an email service.

tags: security monitoring linux android