Skip to content
/ ssh-log-to-influx Public
forked from acouvreur/ssh-log-to-influx

Send SSH authentication logs to influxdb with geohashing IP. Modified quickly for succesful attempts.

License

GPL-3.0 license
0 stars 25 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jolbol1/ssh-log-to-influx

BranchesTags
 
 

Repository files navigation

Modified

I modified this to create a seperate log of the succesful ssh logins.

Visualize bruteforce SSH attacker's location in real time

Build, test and deploy Docker Image Size Docker Pulls

Multiarch supported linux/amd64,linux/arm/v7,linux/arm64 for Raspberry Pis 😄

Thanks to Schkn for its original post https://devconnected.com/geolocating-ssh-hackers-in-real-time/

Preview

Dashboard

Grafana dashboard id : 12323

docker run -e INFLUX_HOST=myinfluxdb.com -e INFLUX_DB=geoloc -p 7070:7070 acouvreur/ssh-log-to-influx

Prerequisites

  • Docker
  • Rsyslog
  • An InfluxDB instance (or use docker-compose.standalone.yml)
  • A Grafana instance (or use docker-compose.standalone.yml)

Getting started

With a bundled InfluxDB and Grafana

docker-compose -f docker-compose.standalone.yml up

With an external InfluxDB

  • INFLUX_PROTOCOL optional default: http Protocol to use, http or https.
  • INFLUX_HOST Influx (FQDN) host to connect to.
  • INFLUX_PORT optional default: 8086 Influx port to connect to.
  • INFLUX_USER optional default: root Username for connecting to the database.
  • INFLUX_PWD optional default: root Password for connecting to the database.
  • INFLUX_DB Database to operate on.

Note: You can use the Docker network FQDN if you put the service in the same Docker network as your InfluxDB instance. INFLUX_HOST will be influx if your service's name is influx.

docker-compose up -d

Test the TCP server

  1. docker-compose -f docker-compose.standalone.yml up
  2. netcat localhost 7070 or ncat localhost 7070 with Git bash for Windows
  3. type: Failed password for username from 206.253.167.10 port 11111 ssh2
  4. Data should be parsed and added

Rsyslog configuration

Add this under /etc/rsyslog.conf to forward ssh auth failures to local server :

I have 'PasswordAuthentication' activated

template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")
if $programname == 'sshd' then {
   if $msg startswith ' Failed' then {
      action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="OnlyMsg")
   }
}

I have 'PubkeyAuthentication' activated

template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")
if $programname == 'sshd' then {
   if $msg startswith ' Invalid' then {
      action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="OnlyMsg")
   } else if $msg startswith ' Disconnected from authenticating' then {
      action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="OnlyMsg")
   }
}

Debug configuration

  • If you want to skip certificate validation, set NODE_TLS_REJECT_UNAUTHORIZED to 0, but don't do this without understanding the implications.
  • DEBUG_LEVEL: level of logging in log4js, default is "info".

About

Send SSH authentication logs to influxdb with geohashing IP. Modified quickly for succesful attempts.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 97.0%
  • Dockerfile 3.0%