Reviewing SSH Activity using Elastic Search / Kibana

3 min read

Keeping an eye on your server’s SSH activity from time to time is recommended. I created a dashboard using Kibana/Elastic Search to quickly review and potentially identify any suspicious activity. It is available on GitHub (https://github.com/aymenfurter/kibana-sshactivity/).

Why Monitor SSH Activity?

SSH monitoring is crucial for server security because:

  • Attack Detection: Identify brute force attacks and unauthorized access attempts
  • Compliance Requirements: Many regulations require audit trails of system access
  • Forensic Analysis: Understand what happened during security incidents
  • Operational Insights: Monitor legitimate user behavior and system usage patterns
  • Early Warning System: Detect anomalies before they become serious security breaches

Dashboard Architecture

Data Collection

The solution processes SSH logs to extract:

  • Login Attempts: Both successful and failed authentication attempts
  • User Information: Which users are accessing the system
  • Source IPs: Geographic and network information about connection sources
  • Timing Patterns: When attacks and legitimate access typically occur
  • Session Details: Duration and activity patterns of SSH sessions

Visualization Components

General SSH Activity Section

  • Failed login attempts over time
  • Geographic distribution of connection attempts
  • Top attacking IP addresses and user accounts
  • Success vs failure rate trends
  • Peak activity hours and patterns

Security Analysis Section

  • Brute force attack detection and patterns
  • Suspicious IP address identification
  • Unusual user behavior patterns
  • Geographic anomalies in access patterns
  • Correlation between different attack vectors

Technical Implementation

Log Processing Pipeline

  1. Log Ingestion: Collect SSH logs from system log files
  2. Parsing and Enrichment: Extract relevant fields and add context
  3. Geolocation: Add geographic information for IP addresses
  4. Indexing: Store processed data in Elasticsearch
  5. Visualization: Create interactive dashboards in Kibana

Key Metrics Tracked

  • Authentication Events: Success/failure rates and patterns
  • User Activity: Account usage and behavioral analysis
  • Network Analysis: Source IP reputation and geographic distribution
  • Temporal Patterns: Time-based analysis of access attempts
  • Anomaly Detection: Statistical deviation from normal patterns

Security Benefits

Threat Detection

The dashboard helps identify:

  • Brute Force Attacks: Repeated failed login attempts from same sources
  • Credential Stuffing: Attempts using common username/password combinations
  • Geographic Anomalies: Access from unexpected locations
  • Time-Based Anomalies: Access during unusual hours
  • Account Enumeration: Attempts to discover valid usernames

Operational Intelligence

Beyond security, the dashboard provides:

  • Usage Patterns: Understanding legitimate user behavior
  • Capacity Planning: Peak usage times and resource requirements
  • Compliance Reporting: Automated generation of access reports
  • Performance Monitoring: SSH service health and response times
  • Administrative Oversight: Tracking privileged user activities

Implementation Benefits

Real-Time Monitoring

  • Live Dashboards: Immediate visibility into current SSH activity
  • Alerting Integration: Automated notifications for suspicious patterns
  • Historical Analysis: Long-term trends and pattern recognition
  • Interactive Exploration: Drill-down capabilities for detailed investigation

Scalability and Maintenance

  • Horizontal Scaling: Handle logs from multiple servers
  • Automated Processing: Minimal manual intervention required
  • Retention Policies: Configurable data retention for compliance
  • Easy Deployment: Docker-based deployment for quick setup

Use Cases

Enterprise Environments

  • Multi-Server Monitoring: Centralized view of SSH activity across infrastructure
  • Compliance Auditing: Automated reporting for security audits
  • Incident Response: Quick identification and analysis of security events
  • Risk Assessment: Understanding attack patterns and exposure levels

Individual Administrators

  • Personal Server Security: Monitor home labs and personal servers
  • Learning Tool: Understand common attack patterns and techniques
  • Security Awareness: Visual representation of constant internet scanning
  • Baseline Establishment: Understand normal vs abnormal activity patterns

This solution transforms raw SSH logs into actionable security intelligence, making it easier to maintain server security and respond to threats effectively.

Topics: #Security #Monitoring #Infrastructure
← Back to Articles