SSH login alerts to your phone.

Why monitor SSH logins

An unexpected SSH login is one of the first signs of a compromised server. Most admins find out from logs hours later. Nerve sends an encrypted push to your phone the moment a session starts — username, IP, and hostname included.

Method 1: profile.d hook (simplest)

Create a script in /etc/profile.d/ that runs on every interactive login.

# /etc/profile.d/nerve-ssh-alert.sh
if [ -n "$SSH_CLIENT" ]; then
  IP=$(echo "$SSH_CLIENT" | awk '{print $1}')
  echo "SSH login: $USER@$(hostname) from $IP" \
    | NERVE_DSN="nerve://TOKEN:[email protected]" nerve send &
fi

Method 2: PAM session hook

For non-interactive sessions or stricter control, use a PAM hook.

# /etc/pam.d/sshd — add at the end:
session optional pam_exec.so /usr/local/bin/nerve-ssh-notify.sh

# /usr/local/bin/nerve-ssh-notify.sh
#!/bin/bash
if [ "$PAM_TYPE" = "open_session" ]; then
  echo "SSH login: $PAM_USER@$(hostname) from $PAM_RHOST" \
    | NERVE_DSN="nerve://TOKEN:[email protected]" nerve send
fi

Method 3: watch auth log

Tail the auth log and alert on accepted connections. Works on systems where you cannot modify PAM.

tail -F /var/log/auth.log \
  | grep --line-buffered "Accepted" \
  | while read -r line; do echo "$line" | nerve send; done

Alert on failed login attempts

tail -F /var/log/auth.log \
  | grep --line-buffered "Failed password" \
  | while read -r line; do echo "FAILED: $line" | nerve send --severity critical; done

Quick start

go install github.com/nerve-ink/nerve-cli/cmd/nerve@latest
export NERVE_DSN="nerve://TOKEN:[email protected]"
echo "SSH login: root@prod-1 from 203.0.113.42" | nerve send

FAQ