Authmap is a tiny service that monitors /var/log/auth.log for fresh ssh authentication attempts. It checks each IP address against a GeoIP database and logs the resulting latitude, longitude, and country to an influxdb time-series database. This allows viewing in Grafana with the worldmap plugin. It could also be used to generate alerts on successful logins.
While you could clone this repo and run go install cmd/authmap/authmap.go, I would recommend running the service inside Docker.
- Make a new directory to store authmap data. In this example,
./authmapis the authmap data directory. - Download GeoLite2-City.mmdb (https://dev.maxmind.com/geoip/geoip2/geolite2/) and place it in
./authmap - If desired, create
config.yamlin./authmapand fill it out using the below example for reference. - Run the container!
docker run --name authmap -v /var/log/auth.log:/var/log/auth.log:ro -v ./authmap:/etc/authmap - If
config.yamldoes not exists, authmap will generate a config file with defaults. You may have to bring down the container and update config.yaml.
This is the default configuration file generated by authmap with comments explaining each key. Any keys left out will be filled in internally with the defaults below.
influx:
url: http://influxdb:8086 # Influx URL
token: "" # Influx token. Can be "username:password" for user/pass auth
org: "" # Influx Organization Name
db: db0 # Influx DB Name
geolite:
path: /etc/authmap/GeoLite2-City.mmdb # GeoIP database location
auth:
path: /var/log/auth.log # Log location
wait_length: 5s # Time to wait before counting log rows
version: "3"
services:
influxdb:
image: influxdb:latest
volumes:
- influx-storage:/var/lib/influxdb
restart: unless-stopped
environment:
- INFLUXDB_DB=db0
authmap:
image: tgiv014/authmap:latest
volumes:
- /var/log/auth.log:/var/log/auth.log:ro
- ./authmap:/etc/authmap
depends_on:
- influxdb
restart: unless-stopped
volumes:
influx-storage: