An SSH log watchdog, which exports failed login attempts to an InfluxDB timeseries database.
Project description
Intrusion Monitor
An SSH log watchdog, which exports failed login attempts to an InfluxDB timeseries database.
Introduction
Exposing ports from your homelab is a potential security threat. If you monitor everything else, why not also monitor brute-force attacks to your server?
It is common to find brute-force SSH attempts, to random IP ranges and login credentials (username and password), on the most probable ports where SSH is listening,
such as port 22 (the SSH port), 2222, and so on.
SSH login attempts are stored logged in /var/log/auth.log. For instance take a look at this log snippet:
Mar 25 22:53:37 ubuntu sshd[26265]: Connection closed by invalid user dev 37.120.235.76 port 59304 [preauth]
Mar 25 22:54:48 ubuntu sshd[26772]: Connection closed by authenticating user root 123.56.161.195 port 44312 [preauth]
Mar 26 13:51:38 ubuntu sshd[503448]: Connection closed by 5.8.10.202 port 64319 [preauth]
Mar 27 15:50:17 ubuntu sshd[23939]: Failed password for ubnt from 106.75.246.203 port 48580 ssh2
None of these logins were made by me, nor I recognised these IPs. They are even from different countries!
Therefore, the aim of this tool is the following:
- Watch your
/var/log/auth.logfor (failed) login attempts; - Grab the username, IP and port the attempt comes from;
- Get IP information, latitude and longitude from IPstack (you will need to register for a free API key here);
- Store all this information in an InfluxDB database;
- You can then use this data to build a neat dashboards with your favourite tool (mine is Grafana)
But the best part is that all of this runs on Docker 🐳!
Operation Modes
This tool has two main operation modes:
- Log watchdog (default):
- The mounted log file is watched for new entries, which are then processed (extract username, IP and port, request IP information from IPstack and store in the database);
- Supports both SSH configurations with password authentication or only public key authentication.
- TCP socket for Rsyslog (under development):
- It listens for Rsyslog json messages in the format
{"ip": "<IP>", "username": "<username>", "port": "<port>"}; - There is a great Medium article, that uses Rsyslog for this purpose. This offers similar functionality with a python TCP socket on a Docker container, instead of the article's node.js server;
- It listens for Rsyslog json messages in the format
Docker Installation
Currently, images are supported for both x86-64 and arm64 architectures, so this is also suitable for your Raspberry Pi:
Architecture |
Tag |
|---|---|
| x86-64 | latest |
| arm64 | latest |
There are also development images with the latest on master branch:
| Architecture |
Tag |
|---|---|
| x86-64 | dev-latest |
| arm64 | dev-latest |
Docker CLI
To create a container using the command line:
docker run -d \
--name intrusion-monitor \
-e TZ=Europe/London `#default` \
-e INFLUXDB_HOST=<InfluxDB Host> \
-e INFLUXDB_PORT=8086 `#default` \
-e INFLUXDB_DATABASE=intrusion-monitor `#default` \
-e INFLUXDB_USER= `#optional` \
-e INFLUXDB_PASSWORD= `#optional` \
-e OPERATION_MODE=watchdog `#default` \
-e LOG_LEVEL=info `#default` \
-v /var/log/auth.log:/watchdog/log/auth.log:ro \
afonsoc12/intrusion-monitor:latest
Docker-compose
To create a standalone container with docker-compose, assuming that you have an InfluxDB instance already running:
version: '3.5'
services:
intrusion-monitor:
image: afonsoc12/intrusion-monitor:latest
container_name: intrusion-monitor
environment:
- TZ=Europe/London #default
- INFLUXDB_HOST=<InfluxDB host>
- INFLUXDB_PORT=8086 #default
- INFLUXDB_DATABASE=intrusion-monitor #default
- INFLUXDB_USER= #optional
- INFLUXDB_PASSWORD= #optional
- OPERATION_MODE=watchdog #default
- LOG_LEVEL=info #default
volumes:
- /var/log/auth.log:/watchdog/log/auth.log
ports:
- 7007:7007
restart: unless-stopped
If you would like to create a stack with both intrusion-monitor and InfluxDB, you can either fork this repo or download the docker-compose.yml and env.sample files (rename the latter to .env).
Don't forget to edit your .env! Then run it with:
docker-compose -p intrusion-monitor -f docker-compose.yml --env-file .env up -d
Parameters
Here are the image's parameters for ports (-p), environment variables (-e) and volume mappings (-v).
For docker-compose, -p corresponds to ports:, -e to environment: and -v to volumes:.
It is highly recommended that you store your environment variables, especially your secrets, in a .env file. You may use the .env.sample as a template.
If you would like to know more about environment variables in Docker, please see these articles about Environment variables in Compose and the Environment file.
| Parameter | Mandatory? | Function | Default |
|---|---|---|---|
-e TZ |
Specify the system's timezone | Europe/London | |
-e OPERATION_MODE |
Operation mode | watchdog | |
-e INFLUXDB_HOST |
✔ | InfluxDB database host. It can be the container name, if both are in the same network. See docker-compose.yml | localhost |
-e INFLUXDB_PORT |
InfluxDB port | 8086 | |
-e INFLUXDB_DATABASE |
InfluxDB database name. Creates a new one if does not exist | intrusion-monitor | |
-e INFLUXDB_USER |
InfluxDB user | optional | |
-e INFLUXDB_PASSWORD |
InfluxDB password | optional | |
-e LOG_LEVEL |
Log level. Supports "debug" or "info" | info | |
-p 7007:7007 |
TCP socket port (under development) | -- | |
-v /var/log/auth.log:/watchdog/log/auth.log:ro |
✔ (in watchdog mode) |
Map to the log file, in read-only mode. | mandatory |
How can I protect myself in the first place?
The first thing you can do is to disable password authentication on your machine, and opt only for public key authentication.
This method is the most secure type of authentication credentials and uses a pairs of two cryptographically secure keys: a public key and a private key. You can learn more about this in this article from SSH.com.
I also recommend disabling root authentication and changing the port SSH is listening to an uncommon one (don't use any of 22, 2222, 32222, 52222, and so on).
Moreover, if you have a "smart" router, configure your firewall to only allow connections from countries you are likely to access your server from, and deny everything else.
Credits
Copyright 2022 Afonso Costa
Licensed under the Apache License, Version 2.0 (the "License")
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file intrusion-monitor-0.1.0.tar.gz.
File metadata
- Download URL: intrusion-monitor-0.1.0.tar.gz
- Upload date:
- Size: 38.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.62.3 importlib-metadata/4.11.0 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.9.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6c3335511f0d8bb9ab62ea242e5d10055a2698da2824a00376c762bea6142383 |
|
| MD5 | c38bea08680959e26755e3cef1aa3124 |
|
| BLAKE2b-256 | bdbe3db630dff6727a2cc5bbd90008cd991125750761bd0e2ac8c1e6e04e039b |
File details
Details for the file intrusion_monitor-0.1.0-py3-none-any.whl.
File metadata
- Download URL: intrusion_monitor-0.1.0-py3-none-any.whl
- Upload date:
- Size: 21.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.62.3 importlib-metadata/4.11.0 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.9.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 47ee0926f2848068ad07016e4eb5fda823a6d79574edcee5c65718922bac7265 |
|
| MD5 | 7a1a0210a3cc5c476025827283a6ea43 |
|
| BLAKE2b-256 | dc9a405006939e81c8cdf6b023511f1434d68ff516b7c18298a5bcf3b3205e8d |
