Simple SSH Intrusion Detection

With the ability to use SSH to provide remote access to my LAN, which includes port forwarding to my server, I wanted a simple way to check the server SSH logs for possible intrusions.

I now run an hourly cron job looking for text strings that might indicate intrusion attempts.

    FAILED_PASSWORD="$(grep ‘Failed password for|Failed none for’ $SSH_LOG)"
    REFUSED_CONNECT="$(grep ‘refused connect from’ $SSH_LOG)"
    TOO_MANY_AUTH="$(grep ‘Too many authentication failures’ $SSH_LOG)"

I am aware of fail2ban, but I am uncertain the tool would be useful for me.

I am using SSH key pairs. With remote access my key pairs use a pass phrase to protect the private key. That prevents the keys from being useful should I lose control of the laptop. The hourly cron job provides an additional layer of protection. I keep the server port forwarding disabled until needed.

Posted: Category: Tutorial, Usability Tagged: General

Next: Write Permissions With Remote NFS Shares

Previous: How I Use Linux