Monitoring and Intrusion Detection
Monitoring and Intrusion Detection
Continuous monitoring detects attack attempts and unauthorized access, enabling rapid response to security incidents. Combining log analysis with automated response mechanisms creates an active defense system.
Configure comprehensive SSH logging:
# Enhanced logging configuration
# /etc/rsyslog.d/50-sshd.conf
# Log all SSH activity to dedicated file
:programname, isequal, "sshd" /var/log/sshd.log
& stop
# Also send to central syslog server
*.* @@syslog.example.com:514
Implement log monitoring with custom scripts:
#!/bin/bash
# monitor_ssh.sh - Real-time SSH monitoring
LOGFILE="/var/log/sshd.log"
ALERT_EMAIL="[email protected]"
# Monitor for suspicious patterns
tail -F "$LOGFILE" | while read line; do
# Failed authentication attempts
if echo "$line" | grep -q "Failed password\|Failed publickey"; then
IP=$(echo "$line" | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
echo "Failed login attempt from $IP: $line"
# Count failures from this IP
FAILURES=$(grep "$IP" "$LOGFILE" | grep -c "Failed")
if [ "$FAILURES" -gt 5 ]; then
echo "Multiple failures from $IP - sending alert"
echo "SSH Attack Alert: $FAILURES failed attempts from $IP" | \
mail -s "SSH Security Alert" "$ALERT_EMAIL"
fi
fi
# Successful root login attempts (should never happen)
if echo "$line" | grep -q "Accepted.*for root"; then
echo "CRITICAL: Root login detected!" | \
mail -s "CRITICAL SSH Alert - Root Login" "$ALERT_EMAIL"
fi
done
Deploy SSH-specific intrusion detection:
# Install and configure AIDE for file integrity monitoring
sudo apt-get install aide
# Configure AIDE for SSH monitoring
# /etc/aide/aide.conf additions:
/etc/ssh p+i+n+u+g+s+b+m+c+md5+sha256
/home/*/.ssh p+i+n+u+g+s+b+m+c+md5+sha256
# Initialize AIDE database
sudo aideinit
# Create monitoring cron job
cat > /etc/cron.daily/aide-check << 'EOF'
#!/bin/bash
/usr/bin/aide --check | grep -v "^AIDE" | mail -s "AIDE Report $(hostname)" [email protected]
EOF
chmod +x /etc/cron.daily/aide-check