Visualize bruteforce SSH attacker's location in real time

Multiarch supported linux/amd64,linux/arm/v7,linux/arm64 for Raspberry Pis 😄

Thanks to Schkn for its original post https://devconnected.com/geolocating-ssh-hackers-in-real-time/

Preview

Grafana dashboard id : 12323

docker run -e INFLUX_HOST=myinfluxdb.com -e INFLUX_DB=geoloc -p 7070:7070 acouvreur/ssh-log-to-influx

Prerequisites

Docker
Rsyslog
An InfluxDB instance (or use docker-compose.standalone.yml)
A Grafana instance (or use docker-compose.standalone.yml)

Getting started

With a bundled InfluxDB and Grafana

docker-compose -f docker-compose.standalone.yml up

With an external InfluxDB

INFLUX_PROTOCOL optional default: http Protocol to use, http or https.
INFLUX_HOST Influx (FQDN) host to connect to.
INFLUX_PORT optional default: 8086 Influx port to connect to.
INFLUX_USER optional default: root Username for connecting to the database.
INFLUX_PWD optional default: root Password for connecting to the database.
INFLUX_DB Database to operate on.

Note: You can use the Docker network FQDN if you put the service in the same Docker network as your InfluxDB instance. INFLUX_HOST will be influx if your service name is influx.

docker-compose up -d

Test the TCP server

docker-compose -f docker-compose.standalone.yml up
netcat localhost 7070 or ncat localhost 7070 with Git bash for Windows
type: Failed password for username from 206.253.167.10 port 11111 ssh2
Data should be parsed and added

Rsyslog configuration

Add this under /etc/rsyslog.conf to forward ssh auth failures to local server :

I have 'PasswordAuthentication' activated

template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")
if $programname == 'sshd' then {
   if $msg startswith ' Failed' then {
      action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="OnlyMsg")
   }
}

I have 'PubkeyAuthentication' activated

template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")
if $programname == 'sshd' then {
   if $msg startswith ' Invalid' then {
      action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="OnlyMsg")
   } else if $msg startswith ' Disconnected from authenticating' then {
      action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="OnlyMsg")
   }
}

Debug configuration

If you want to skip certificate validation, set NODE_TLS_REJECT_UNAUTHORIZED to 0, but don't do this without understanding the implications.
DEBUG_LEVEL: level of logging in log4js, default is "info".

Name		Name	Last commit message	Last commit date
Latest commit History 185 Commits
.github/workflows		.github/workflows
grafana		grafana
src		src
.babelrc		.babelrc
.dockerignore		.dockerignore
.gitignore		.gitignore
Dockerfile		Dockerfile
LICENSE		LICENSE
README.md		README.md
dashboard.png		dashboard.png
docker-compose.standalone.yml		docker-compose.standalone.yml
docker-compose.yml		docker-compose.yml
jsconfig.json		jsconfig.json
package-lock.json		package-lock.json
package.json		package.json
release.config.js		release.config.js

License

acouvreur/ssh-log-to-influx

Folders and files

Latest commit

History

Repository files navigation

Visualize bruteforce SSH attacker's location in real time

Preview

Prerequisites

Getting started

With a bundled InfluxDB and Grafana

With an external InfluxDB

Test the TCP server

Rsyslog configuration

I have 'PasswordAuthentication' activated

I have 'PubkeyAuthentication' activated

Debug configuration

About

Topics

Resources

License

Stars

Watchers

Forks

Languages