ssh-log-to-influx icon indicating copy to clipboard operation
ssh-log-to-influx copied to clipboard

verified publisher icon acouvreur

Metadata

Send SSH authentication logs to influxdb with geohashing IP

Visualize bruteforce SSH attacker's location in real time

Build, test and deploy Docker Image Size Docker Pulls

Multiarch supported linux/amd64,linux/arm/v7,linux/arm64 for Raspberry Pis 😄

Thanks to Schkn for its original post https://devconnected.com/geolocating-ssh-hackers-in-real-time/

Preview

Dashboard

Grafana dashboard id : 12323

docker run -e INFLUX_HOST=myinfluxdb.com -e INFLUX_DB=geoloc -p 7070:7070 acouvreur/ssh-log-to-influx

Prerequisites

  • Docker
  • Rsyslog
  • An InfluxDB instance (or use docker-compose.standalone.yml)
  • A Grafana instance (or use docker-compose.standalone.yml)

Getting started

With a bundled InfluxDB and Grafana

docker-compose -f docker-compose.standalone.yml up

With an external InfluxDB

  • INFLUX_PROTOCOL optional default: http Protocol to use, http or https.
  • INFLUX_HOST Influx (FQDN) host to connect to.
  • INFLUX_PORT optional default: 8086 Influx port to connect to.
  • INFLUX_USER optional default: root Username for connecting to the database.
  • INFLUX_PWD optional default: root Password for connecting to the database.
  • INFLUX_DB Database to operate on.

Note: You can use the Docker network FQDN if you put the service in the same Docker network as your InfluxDB instance. INFLUX_HOST will be influx if your service name is influx.

docker-compose up -d

Test the TCP server

  1. docker-compose -f docker-compose.standalone.yml up
  2. netcat localhost 7070 or ncat localhost 7070 with Git bash for Windows
  3. type: Failed password for username from 206.253.167.10 port 11111 ssh2
  4. Data should be parsed and added

Rsyslog configuration

Add this under /etc/rsyslog.conf to forward ssh auth failures to local server :

I have 'PasswordAuthentication' activated

template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")
if $programname == 'sshd' then {
   if $msg startswith ' Failed' then {
      action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="OnlyMsg")
   }
}

I have 'PubkeyAuthentication' activated

template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")
if $programname == 'sshd' then {
   if $msg startswith ' Invalid' then {
      action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="OnlyMsg")
   } else if $msg startswith ' Disconnected from authenticating' then {
      action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="OnlyMsg")
   }
}

Debug configuration

  • If you want to skip certificate validation, set NODE_TLS_REJECT_UNAUTHORIZED to 0, but don't do this without understanding the implications.
  • DEBUG_LEVEL: level of logging in log4js, default is "info".

Metadata

98
Stars
23
Forks
Watchers

Owner

verified publisher icon acouvreur

Metadata

Send SSH authentication logs to influxdb with geohashing IP

Back