Remember the Users
RSS imageAbout About Me

The ongoing challenge of using free/libre software.

Simple SSH Intrusion Detection

With the ability to use SSH to provide remote access to my LAN, which includes port forwarding to my server, I wanted a simple way to check the server SSH logs for possible intrusions.

I now run an hourly cron job looking for text strings that might indicate intrusion attempts.

    FAILED_PASSWORD="$(grep ‘Failed password for|Failed none for’ $SSH_LOG)"
    REFUSED_CONNECT="$(grep ‘refused connect from’ $SSH_LOG)"
    TOO_MANY_AUTH="$(grep ‘Too many authentication failures’ $SSH_LOG)"

I am aware of fail2ban, but I am uncertain the tool would be useful for me.

I am using SSH key pairs. With remote access my key pairs use a pass phrase to protect the private key. That prevents the keys from being useful should I lose control of the laptop. The hourly cron job provides an additional layer of protection. I keep the server port forwarding disabled until needed.

Posted: March 10, 2017 Category: Tutorial, Usability Tagged: General

Next: Write Permissions With Remote NFS Shares

Previous: How I Use Linux

No cookies, no JavaScript, no Flash, no ads, no tracking. Just a blog.

Remember the Users
RSS imageAbout About Me