Use Case: Monitor SSH attempts for your EC2 Instance

Securing your architecture from attacks is one of the important things to guarantee a stable system with will reflect to a good reputation of your site or platform.

When it comes to large system you have many components such as compute, database and storage.

In this article we will discuss how to monitor the SSH attempts for your EC2 instance through AWS CloudWatch and receive a notification through AWS SNS.

Prerequisites for this demo:

1. EC2 Instance with Amazon Linux 2 since we will install CloudWatch Agent.

We will use AWS CloudWatch Alarms & AWS SNS for creating a topic to monitor and receive a notification when a certain alarm raised.

Steps:

1- Launch an EC2 instance from AWS Console with default configuration but we will use the below user data script to install & configure the CW agent when instance starts:

#!/bin/bash -xe

echo --- install packages ---
dnf update && dnf install -y amazon-cloudwatch-agent-1.247358.0-1.amzn2023.x86_64 \
    gcc \
    ec2-instance-connect \
    aws-cfn-bootstrap.noarch \
    openssh-8.7p1-8.amzn2023.0.4.x86_64 \
    rsyslog-8.2204.0-3.amzn2023.0.2.x86_64

echo --- create cw agent config file ---
cat << EOF > /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json
{
  "agent": {
    "run_as_user": "root"
  },
  "logs": {
    "logs_collected": {
      "files": {
        "collect_list": [
          {
            "file_path": "/var/log/secure",
            "log_group_name": "SSHfail",
            "log_stream_name": "{instance_id}",
            "retention_in_days": 3,
            "timestamp_format": "%b %d %H:%M:%S"
          }
        ]
      }
    }
  }
}
EOF

echo --- starting the cloudwatch agent ---
systemctl start amazon-cloudwatch-agent.service

echo --- modify sshd to log to file ---
systemctl stop sshd
sed -i 's|RestartSec=42s|RestartSec=42s\nStandardOutput=syslog\nStandardError=syslog\n|g' /lib/systemd/system/sshd.service
systemctl daemon-reload
systemctl start sshd

echo --- start syslog ---
systemctl start rsyslog

/opt/aws/bin/cfn-signal -e 0 --stack "cloudacademylabs" --region "us-west-2" --resource MonitorCloudWatchLabInstance

2- We will login into our EC2 instance through AWS Console

3- We will execute the below command to get the status of AWS CloudWatch Agent

sudo systemctl status amazon-cloudwatch-agent.service
and it should be active as below:

4- If you have tried to login using EC2 Connect with different user than the ec2-user you should get the below error:

5- You can navigate to /var/log and tail -f secure to view this attempt as below:

6- Navigate to AWS CloudWatch through the AWS console and create a log group if it doesn't exist with the same name which configured earlier by user data of the EC2 instance

7- Navigate to AWS SNS through the AWS console in order to create a topic to get notification, the below is the configuration of the topic:

Type: Standard
Name: ssh-fails

we will leave the default configuration, take a note of the topic ARN.

8- Create a subscription in order to start receive notifications with the below configuration:

Protocol: Email
Endpoint: Enter your email

9- Now we are going to create an Alarm through AWS CloudWatch console, navigate to AWS CloudWatch then Alarm > All Alarms and Create Alarm button.

for the metric search for IncomingLogEvents and select AccountMetric > IncomingLogEvents and press on Graphed metrics.

you will be able to see a graph for this metric as below:

Press select metric.

Conditions should be configured as below:

this means if there are 3 failed attempts then the alarm will be raised.

Press Next

In the notification window select the SNS topic which you have previously created and press next.

for Alarm name you can give it any name and press Create alarm.

Now you need to create a metric filter to match against.

10- Navigate to AWS CloudWatch Log groups, select our Log group and press action, then select create metric filter:

We will use the below filter as a filter pattern since this matches our pattern of secure file in the previous step:
[Mon, day, timestamp, ip, id, status = Invalid, ...]

Press next and enter the below configuration for the filter name and details.

Filter Name: SSh-failers
Metric details

• Metric Namespace: ssh-fails
• Metric Name: ssh-fails
• Metric Value: 3

Press Create

11- Now you are ready to test by doing some attemps with different users, the alarm should be changed as below:

Now you will successfully receive fails attempts to SSH on your instance and you will be aware of any undesired SSH.