PermaLink Visualized SSH login failures01/27/2022 05:53 PM
When running a Linux server, which is accessible from the Internet, you will see a lot of failed SSH authentication attemtps.
This article is not about securing your server (ssh-port-change, fail2ban, private/public-key-auth only, ...) but about visualizing these attacks. A popular tool to visualize time series data is here.

The code and documentation is documented on a GitHub.
It just looks great and providoes all the data we need to build a spy movie style attack dashboard:
Grafana Dashboard showing SSH login failures
Please note, this embedded image is hosted on Github, the copyright is with the author Alexis Couvreur..

The basic idea of his tool ssh-log-to-influx is to utilize a custimzed configuration of RSYNC to send specific event notifications to a custom TCP port in addition to the standard output into /var/log/messages.
So the data flow is like this:

SSHD -- RSYSLOG -- SSH-log-to-Influx -- InfluxDB -- Grafana

The documentation worked pretty well for me with one exception. RSYSLOG was not able to send events to the local TCP port 7070.
After restarting RSYSLOG I saw this in /var/log/messages:
Jan 26 16:21:24 server4711 rsyslogd[148476]: cannot connect to 127.0.0.1:7070: Permission denied [v8.2102.0-5$
After checking the port configuration in Docker I could identify the root cause. The Linux distribution on the particular server had SELinux enabled. So the fix was easy:
semanage port -a -t syslogd_port_t -p tcp 7070

This page has been accessed 333 times. .
Disclaimer
The weblog represent my personal views and comments and does not represent the views of my current or previous employers or customers.
About me
By Category
The BlogRoll
Christians sites
other Bloggers
netcraft Linux host Blog Admin OpenNTF
Monthly Archive