When running a Linux server, which is accessible from the Internet, you will see a lot of failed SSH authentication attemtps.
This article is not about securing your server (ssh-port-change, fail2ban, private/public-key-auth only, ...) but about visualizing these attacks.
A popular tool to visualize time series data is here
The code and documentation is documented on a GitHub
It just looks great and providoes all the data we need to build a spy movie style attack dashboard:
Please note, this embedded image is hosted on Github, the copyright is with the author Alexis Couvreur.
The basic idea of his tool ssh-log-to-influx
is to utilize a custimzed configuration of RSYNC to send specific event notifications to a custom TCP port in addition to the standard output into /var/log/messages
So the data flow is like this:
SSHD -- RSYSLOG -- SSH-log-to-Influx -- InfluxDB -- Grafana
The documentation worked pretty well for me with one exception. RSYSLOG was not able to send events to the local TCP port 7070.
After restarting RSYSLOG I saw this in /var/log/messages:
Jan 26 16:21:24 server4711 rsyslogd: cannot connect to 127.0.0.1:7070: Permission denied [v8.2102.0-5$
After checking the port configuration in Docker I could identify the root cause. The Linux distribution on the particular server had SELinux enabled. So the fix was easy:
semanage port -a -t syslogd_port_t -p tcp 7070