SSH login alerts on Telegram,
the moment they happen
OxiWatch is a free, open-source SSH login monitor for Linux. Get an instant Telegram notification on every successful login, plus a daily report of failed brute-force attempts — with GeoIP. One binary, runs as a systemd service.
curl -sSL https://raw.githubusercontent.com/oxisoft/oxiwatch/main/scripts/install.sh | sudo bashEverything you need to watch SSH access
Real-time alerting and daily reporting for one server or a whole fleet.
Instant Telegram alerts
Get notified the second someone logs in over SSH — with username, source IP, and country.
Daily failed-login report
A morning summary of brute-force attempts and your top attacker IPs, so nothing slips by.
Built-in GeoIP
See where logins and attacks come from. Uses free DB-IP Lite — no API key or registration.
Real-time journal watch
Reads the systemd journal directly. No log files to tail, no PAM hooks to install.
Local SQLite history
Keeps an audit trail of logins with configurable retention. Your data stays on your server.
Self-upgrading
A single static binary that updates itself from GitHub releases with oxiwatch upgrade.
How it works
From zero to live alerts in three steps.
Create a Telegram bot
Talk to @BotFather for a token and grab your chat ID from @userinfobot.
Run the installer
The script downloads the right binary, asks for your bot token and chat ID, and sets up the systemd service.
Get alerted
OxiWatch watches SSH in real time. Every successful login pings your Telegram instantly; failed attempts arrive in the daily report.
OxiWatch and fail2ban
Not a competitor — a complement. Run both on the same machine.
| fail2ban | OxiWatch | |
|---|---|---|
| Role | Prevention — bans IPs after failures | Visibility — alerts & summarizes |
| Acts on | Failed attempts (firewall bans) | Successful logins + failed attempts |
| Notifies you | Not out of the box | Telegram, in real time |
| Tells you who got in | No | Yes |
fail2ban keeps attackers out. OxiWatch keeps you informed. Together they cover both sides.
Frequently asked questions
SSH monitoring, Telegram alerts, GeoIP, and more.
How do I get a Telegram notification when someone logs into my server over SSH?
Install OxiWatch and point it at a Telegram bot. It sends an instant message on every successful SSH login — including the username, source IP, and country.
Does OxiWatch replace fail2ban?
No. fail2ban blocks repeated failed attempts; OxiWatch tells you who actually logged in and summarizes attacks in a daily report. They solve different problems and run together on the same machine.
Which Linux distributions are supported?
Any Debian-based distribution with systemd. OxiWatch is tested on Debian 12 and 13 and works on Ubuntu and derivatives.
Does it work with OpenSSH 10.0+?
Yes. OxiWatch tracks the sshd, sshd-session, and sshd-auth syslog identifiers, so logins and failed attempts are captured on newer OpenSSH releases.
Is a GeoIP API key required?
No. OxiWatch uses the free DB-IP Lite database and downloads and updates it automatically. No account, key, or license is needed.
Does it monitor failed SSH login attempts too?
Yes. Failed attempts — including invalid users and pre-auth disconnects — are recorded and summarized in a daily Telegram report with the top attacker IPs.
Can I monitor multiple servers in one Telegram chat?
Yes. Install OxiWatch on each server and point them at the same chat. Set server_name so each alert is clearly labeled.
Is OxiWatch free and open source?
Yes — it's MIT licensed and free to use. The source is on GitHub.