Visualize bruteforce SSH attacker's location in real time

Name: acouvreur/ssh-log-to-influx
Brand: acouvreur/ssh-log-to-influx
SKU: project/acouvreur/ssh-log-to-influx
Rating: 4.44 (58 reviews)

Docker Image Size Docker Pulls

Multiarch supported linux/amd64,linux/arm/v7,linux/arm64 for Raspberry Pis 😄

Thanks to Schkn for its original post https://devconnected.com/geolocating-ssh-hackers-in-real-time/

Preview

Dashboard

Grafana dashboard id : 12323

docker run -e INFLUX_HOST=myinfluxdb.com -e INFLUX_DB=geoloc -p 7070:7070 acouvreur/ssh-log-to-influx

Prerequisites

Docker
Rsyslog
An InfluxDB instance (or use docker-compose.standalone.yml)
A Grafana instance (or use docker-compose.standalone.yml)

Getting started

With a bundled InfluxDB and Grafana

docker-compose -f docker-compose.standalone.yml up

With an external InfluxDB

INFLUX_PROTOCOL optional default: http Protocol to use, http or https.
INFLUX_HOST Influx (FQDN) host to connect to.
INFLUX_PORT optional default: 8086 Influx port to connect to.
INFLUX_USER optional default: root Username for connecting to the database.
INFLUX_PWD optional default: root Password for connecting to the database.
INFLUX_DB Database to operate on.

Note: You can use the Docker network FQDN if you put the service in the same Docker network as your InfluxDB instance. INFLUX_HOST will be influx if your service name is influx.

docker-compose up -d

Test the TCP server

docker-compose -f docker-compose.standalone.yml up
netcat localhost 7070 or ncat localhost 7070 with Git bash for Windows
type: Failed password for username from 206.253.167.10 port 11111 ssh2
Data should be parsed and added

Rsyslog configuration

Add this under /etc/rsyslog.conf to forward ssh auth failures to local server :

I have 'PasswordAuthentication' activated

template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")
if $programname == 'sshd' then {
   if $msg startswith ' Failed' then {
      action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="OnlyMsg")
   }
}

I have 'PubkeyAuthentication' activated

template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n")
if $programname == 'sshd' then {
   if $msg startswith ' Invalid' then {
      action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="OnlyMsg")
   } else if $msg startswith ' Disconnected from authenticating' then {
      action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="OnlyMsg")
   }
}

Debug configuration

If you want to skip certificate validation, set NODE_TLS_REJECT_UNAUTHORIZED to 0, but don't do this without understanding the implications.
DEBUG_LEVEL: level of logging in log4js, default is "info".

Project Name	Stars	Most Recent Commit	Open Issues	License	Language
Fintank	76	8 years ago			Python
Architectural POC for real-time market data and portfolio order processing using Storm, Kafka, InfluxDB, Graphana, ooh and Python!
Ssh Log To Influx	58	2 years ago	6	gpl-3.0	JavaScript
Send SSH authentication logs to influxdb with geohashing IP
Poolmon	7	2 years ago	2	mit	JavaScript
Pool Temperature Monitoring Project
Sshpoller	6	7 years ago			Python
Python SSH screen scrapper with InfluxDB output
Junos_rpm	3	5 years ago	1		Python
Juniper RPM Collection with InnoDB and Graphana
Rasplogger	2	3 months ago		mit	Python
Raspberry pi, Bluetooth BLE, Uart, data-collector with InfluxdB
Intrusion Monitor	2	a year ago		apache-2.0	Python
An SSH log watchdog, which exports failed login attempts to an InfluxDB timeseries database.

Ssh Log To Influx