>Detect ssh attack using Nagios

By | July 17, 2012

>

Recently I noticed some malicious attempt to access my server via ssh . In /var/log/secure , I found following entry
+++++++++++++++++++++++
Failed password for root from *******
+++++++++++++++++++++++++++++++
I decided to get notification for such activities . I thought about two options , one is via syslog-ng mail module and another with Nagios . Since I already have working Nagios environment so I decided to use Nagios for alert and notification .  
Nagios provide a Plug-In check_logfiles (http://labs.consol.de/lang/en/nagios/check_logfiles/) which provide option to search specific pattern in log files and raise alarm accordingly. Check_logfiles is exactly the Plug-In , I was looking for .

I did following steps to get alert/notification for ssh attack attempt.

Step1. Downloaded check_logfiles in /usr/local/src
cd /usr/local/src
wget http://labs.consol.de/download/shinken-nagios-plugins/check_logfiles-3.5.1.tar.gz

Step2. Installed check_logfiles in /usr/local/nagios/libexec
tar xzf check_logfiles-3.5.1.tar.gz
cd check_logfiles-3.5.1
./configure –prefix=/usr/local/nagios
make
make install

Step3. Then , I tested if check_logfiles installed properly
cd /usr/local/nagios/libexec
check_logfiles –tag ssh –logfile=/var/log/secure –rotation=SOLARIS –criticalpattern=”Failed password for root”


Step4. Edited /usr/local/nagios/etc/objects/commands.cfg and put given below entry for sshattack

vi /usr/local/nagios/etc/objects/commands.cfg

sshattack


Step5. Edited /usr/local/nagios/etc/objects/localhost.cfg, and put service entry for periodic check on localhost
vi /usr/local/nagios/etc/objects/localhost.cfg
sshattack-2


Step6. Restart nagios , and viewed nagios interface but found some error

sshattack-3

The error was about some permission issue on /var/tmp/check_logfiles . I set correct ownership
chown –R nagios /var/tmp/check_logfiles

But now following error appeared


insufficient permissions to open logfile /var/log/secure

So clearly nagios user need read permission on /var/log/secure . So I set read permission to nagios user on /var/log/secure


setfacl –m u:nagios:r /var/log/secure
 
Everything is set now and for now , I am getting below

sshattack-4

Share itShare on FacebookEmail this to someoneTweet about this on TwitterShare on Google+Share on LinkedInPrint this page

15 thoughts on “>Detect ssh attack using Nagios

  1. Nishith Vyas.

    >Hello Vishesh,

    This documentation worked well on my nagios core 3.x. But, availability report of nagios should show total number of attacks.

    Instead of that, nagios displays the attack only for 2/3 minutes & no logs had been generated in anywhere.

    Let me know if something is missing in my configuration.

    Reply
  2. Anonymous

    >we need to provide "WRITE" permission for nagios user,(i.e which are the files associated with nagios user)

    Reply
  3. Sunil Arora

    >Hi Vishesh,

    I am totally new on Linux. And recently I have configured a Nagios 3.4.1 server on Ubuntu 12.04 Desktop version. My Nagios server is running and showing output on web console as well. At the moment I have configured two check_commands (Check_ping and Check_snmp) in which check_ping is working fine and showing output in web console. But check_snmp is not working and my host on web console showing this service as a "critical" service.

    And the status Information section of this critical service is showing this message "Service Check Timed Out".

    I have try to find solution on internet but nothing works, maybe as I am totally new so I am missing some configure required for snmp.

    For your information:

    /usr/local/nagios/libexec is shwoing check_snmp

    On my server snmpd is running (I have checked with service snmpd status command)

    and I have already installed and complied nagios-plugin-1.4.15 (with the help of commands available in nagios documentation)

    Could any one suggest me how could I fix this issue. And if possible can someone share with me the step-by-step setting of SNMP for all the parameters in Nagios/Ubuntu. So that I can cross check my snmp settings.

    Many Thanks in advance.

    Sunil

    Reply
  4. vishesh kumar

    >Hi Sunil,

    Whats output you receive by executing

    /usr/local/nagios/libexec/check_snmp -H "server ip address"

    Reply
  5. abhay

    >Hello Sir, after editing the /usr/local/nagios/etc/objects/localhost.cfg when i restarted nagios i received below below error:

    Running configuration check… CONFIG ERROR! Restart aborted. Check your Nagios configuration.

    Reply
  6. abhay

    >Hello Sir, after editing the /usr/local/nagios/etc/objects/commands.cfg when i restarted nagios i received below error:

    "[root@example /]# /etc/init.d/nagios restart
    Running configuration check… CONFIG ERROR! Restart aborted. Check your Nagios configuration."

    Please help!

    Reply
  7. Vishesh Kumar

    >Hello Abhay ,

    Verify your configuration file using following command

    nagios -v /usr/local/nagios/etc/nagios.cfg

    Share your error report

    Reply
  8. abhay

    >[root@example /]# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
    Reading configuration data…
    Read main config file okay…
    Processing object config file '/usr/local/nagios/etc/objects/commands.cfg'…
    Error: Invalid command object directive '–criticalpattern="Failed'.
    Error: Could not add object property in file '/usr/local/nagios/etc/objects/commands.cfg' on line 244.
    Error processing object config files!

    ***> One or more problems was encountered while processing the config files…

    Reply
  9. Vishesh Kumar

    >So there is error in 244 line of commands.cfg , Share that line along with previous and next line (243 and 245) , This seems some typo mistake

    Reply
  10. abhay

    >define command{

    command_name check_ssh_attack
    command_line $USER1$/check_logfiles –tag=ssh –logfile=/var/log/secure
    –criticalpatern="Failed password for root"
    }

    define service{
    use local=service
    host_name localhost
    service_description ssh attacks
    check_command check_ssh_attack
    }

    Reply
  11. Vishesh Kumar

    >Spelling of criticalpattern in wrong in your config file , check it

    Also , in define service there is
    use local-service not use local=service

    Thanks

    Reply
  12. Rupika

    The script shows ‘Ok’, no matter what is there is log file:

    ——
    ./check_logfiles -tag ssh -logfile=/var/log/secure –criticalpattern=”Failed password for”
    OK – no errors or warnings|ssh_lines=0 ssh_warnings=0 ssh_criticals=0 ssh_unknowns=0
    ——

    Whereas there are may failure attempts logged under /var/log/secure/

    ——
    Sep 22 00:07:53 MY-HOST sshd[32067]: Received disconnect from IP.IP.IP.IP: 11: Bye Bye
    Sep 22 00:07:55 MY-HOST2 sshd[32068]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=IP.IP.IP.IP user=root
    Sep 22 00:07:57 MY-HOST sshd[32068]: Failed password for root from IP.IP.IP.IP port 38437 ssh2
    Sep 22 00:07:57 MY-HOST sshd[32069]: Received disconnect from IP.IP.IP.IP: 11: Bye Bye
    Sep 22 00:07:59 OPS-152 sshd[32071]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=P.IP.IP.IP user=root
    Sep 22 00:08:01 MY-HOST sshd[32071]: Failed password for root from IP.IP.IP.IP port 39545 ssh2
    Sep 22 00:08:01 MY-HOST sshd[32072]: Received disconnect from IP.IP.IP.IP: 11: Bye Bye
    Sep 22 00:08:03 MY-HOST sshd[32073]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=IP.IP.IP.IP user=root
    Sep 22 00:08:05 MY-HOST sshd[32073]: Failed password for root from IP.IP.IP.IP port 40682 ssh2
    Sep 22 00:08:05 MY-HOST sshd[32074]: Received disconnect from IP.IP.IP.IP: 11: Bye Bye
    ——

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Current month ye@r day *