Simple script which sets up what i consider the most simple, but not least effective, Intrusion Detection System. It configures a oneliner on a file, which is triggered on new shell sessions, in order to send instant alerts via telegram
The alert of which includes the hostname, username and current sessions on the host
Just define in the script the three required variables:
- tgdst - Telegram destination chat ID
- tgtoken - Telegram bot token
- triggerFile - The file in which to embed the payload
The trigger file variable can be set up to any system file which gets executed in new shell sessions, the more wider its coverage the more effective the sIDS, some examples are:
- ~/.bashrc
- ~/.zshrc
- ~/.profile
- /etc/bash.bashrc
- /etc/zsh.zshrc
- /etc/profile
Bear in mind that if it is set up in a specific shell rc file, it will only trigger when that specific shell is in use therefore leaving some room for undetected sessions
The "obfuscation" of the oneliner is just to obtain a couple seconds more to respond to any intrusion and to avoid the snippet to appear if any enumeration is done on the host. Eitherways, the output of the snippet its hidden by redirecting it to /dev/null and if there's no DNS issues, it shouldn't be noticed if considering shell timing.