Simple SSH Intrustion Detection
With the ability to use SSH to provide remote access to my LAN, which includes port forwarding to my server, I wanted a simple way to check the server SSH logs for possible intrusions.
I now run an hourly cron job looking for text strings that might indicate intrusion attempts.
FAILED_PASSWORD="$(grep ‘Failed password for|Failed none for’ $SSH_LOG)" REFUSED_CONNECT="$(grep ‘refused connect from’ $SSH_LOG)" TOO_MANY_AUTH="$(grep ‘Too many authentication failures’ $SSH_LOG)"
I am aware of fail2ban, but I am uncertain the tool would be useful for me.
I am using SSH key pairs. With remote access my key pairs use a pass phrase to protect the private key. That prevents the keys from being useful should I lose control of the laptop. The hourly cron job provides an additional layer of protection. I keep the server port forwarding disabled until needed.