DEV Community

Cover image for 👮How to Monitor unauthorized SSH attempts on your server & get email Alert
Anuvindh Sankaravilasam for AWS Community Builders

Posted on • Updated on

👮How to Monitor unauthorized SSH attempts on your server & get email Alert

DAY 12 - 👮 Monitor unauthorized SSH attempts on your server.

✅Connect with me on Twitter
🤝🏽Connect with me on Linkedin
🧑🏼‍🤝‍🧑🏻 Read more post on dev.to or iCTPro.co.nz

Image Cover
Tweet This Blog - Read on GitHub - Read On iCTPro.co.nz


PWN ing your server is one of the scariest thing , Monitor your server from unwanted SSH attempts.

Getting unauthorized access to your server is usually main motive for attacker, Monitoring the SSH attempts will help you to understand and take proper remediations before the server gets compromised.

📋 Table of Contents

  • Install CloudWatch log agent and Configure.
  • Create Metric and Setup SNS Notification.
  • Get alerts for unauthorized SSH access.

👀 Install CloudWatch log agent and Configure.

Step 1 Install CloudWatch log Agent

Step 2 Configure awslogs.conf

  • Editing this file will help you to deliver custom logs to cloud watch
sudo nano /var/awslogs/etc/awslogs.conf 
Enter fullscreen mode Exit fullscreen mode
  • add this information, make sure you change to your Log group name . if you have followed Step 1 tutorial , the name will be Ec2-Log-Group.
[general]
state_file = /var/awslogs/state/agent-state  

[logstream1]
file = /var/log/auth.log
log_group_name = Ec2-Log-Group
log_stream_name = {instance_id}
datetime_format = %b %d %H:%M:%S
Enter fullscreen mode Exit fullscreen mode
  • restart the awslog service
sudo service awslogs restart
Enter fullscreen mode Exit fullscreen mode
  • Test SSH failed attempts
sudo tail -f /var/log/auth.log
Enter fullscreen mode Exit fullscreen mode

Now if you try with a un-auth name or key , you will be able to see the attempt here.

Image auth

Verify in CloudWatch log group

  • Goto Cloudwatch Dashboard and go to your log group and select your Stream.
  • Search for invalid user

Image invalid user

Create a metric filter for SNS

  • when your verify , you can see an option for create metric filter
Comments Screenshots/Action
Create Metric Filter Image Filter
Name the filter and add metric value and click Create Image Metricname
Test the metric you have created , goto loggroup and click Metric filters Image metricfilterarea
select the filter and click edit, Now select your server and click Test pattern, if everything is good you can see your results Image testpattern
Select the Same metric filter and then click Create alarm to create one Image alarm
Change the period to 1 min or less Image period
add Conditions and click next Image Conditions
Create SNS TOPIC to deliver email alert, Click Create topic Image SNS
Name Alarm name and Alarm description Image alaramName
Now Click Next and Create alarm Image alarm

Lets Test for un-Authorized SSH Access.

  • go to your mail and subscribe to the email that you have received.
  • Now goto putty , enter a different user name and try accessing the server.
  • if you check the alarm state you can see its changed to 🔴In alarm.
  • Now check your registed email, You can see

Image SNS

🎉Congratulations🎉 you have successfully configured your alert to monitor Failed SSH attempts.

anuvindhs image

Discussion (0)