This Docker container monitors /var/log/auth.log for suspicious logins and can create either a Zammad ticket or send a NTFY notification if a successful login was detected.
The NTFY notification might look like this:
SSH Login on `hostname` for user `root` from 8.8.8.8
Debian 12/13 does not write sshd logs to /var/log/auth.log by default:
-
Install
rsyslog:apt install rsyslog. -
Update
/etc/ssh/sshd_config:SyslogFacility AUTH LogLevel INFO -
Restart
sshd:service ssh restart
# Comma-separated list of IP addresses
# Ranges or wildcards are currently not supported
# Requests from these ip addresses are ignored and does not trigger a notification
ALLOWED_IPS='1.2.3.4,2.3.4.5'
ZAMMAD_ENABLE='true'
ZAMMAD_URL='https://your-zammad-instance.com'
# Token with 'ticket.agent' scope
ZAMMAD_TOKEN=''
# Group in Zammad (default: "Support")
ZAMMAD_GROUP='Support'
NTFY_ENABLE='true'
# Requests are send to ${NTFY_URL}/${NTFY_TOPIC}
NTFY_URL='https://your-ntfy-server.com'
NTFY_TOPIC=''
NTFY_TOKEN='Bearer auth token...'docker compose up -d --build
# TODO: docker compose watch support
docker compose logs -fWhen mounting /var/log/auth.log as a single read-only bind mount, the container shows outdated entries while the host has current logs. This occurs due to host-side log rotation by logrotate, which renames the file (e.g., to auth.log.1) and creates a new empty one, breaking the inode-based bind mount sync.
Therefore you should always mount the complete directory /var/log.