I think, going off the auth log is better, or just logs in general. Build one script that matches regex patterns and sends alerts and you can monitor for a lot more than just logins.
This script is so nice because it's so simple: it follows the journalctl output of sshd.service and then sends a push notification to me through Gotify's CLI when journalctl's output matches what I set $grep_regex_pattern to (I just need to remember to setup gotify when I setup my server). The best part is that it's so easy to modify this script for ANY systemd service that is using journalctl.
I alert on all successful and failed attempts, because in my home lab, I should be the only one logging in -- so I don't really get notifications unless I'm working on something. It's helped me a few times when I've accidentally left port 22 exposed to the world on some VPS' -- reminding me to add firewall rules to reduce access.
EDIT: clarified that sshd-montior sends alerts when matching regex pattern
https://github.com/heywoodlh/nixos-configs/blob/d5b0ffbcc4cb...
This script is so nice because it's so simple: it follows the journalctl output of sshd.service and then sends a push notification to me through Gotify's CLI when journalctl's output matches what I set $grep_regex_pattern to (I just need to remember to setup gotify when I setup my server). The best part is that it's so easy to modify this script for ANY systemd service that is using journalctl.
I alert on all successful and failed attempts, because in my home lab, I should be the only one logging in -- so I don't really get notifications unless I'm working on something. It's helped me a few times when I've accidentally left port 22 exposed to the world on some VPS' -- reminding me to add firewall rules to reduce access.
EDIT: clarified that sshd-montior sends alerts when matching regex pattern