Secure Your Server: A Guide to Monitoring SSH Logins with Auditd and Logwatch
Securing a server begins with visibility. Knowing who is accessing your system, when they’re doing it, and what they’re attempting is fundamental to a strong security posture. While standard system logs like /var/log/auth.log provide a baseline, they can be insufficient for robust security monitoring. A sophisticated attacker with root access could potentially alter or erase these logs to cover their tracks.
This is where a more powerful, tamper-resistant solution becomes essential. By combining the Linux Auditing System (auditd) with the reporting power of Logwatch, you can create a highly effective and automated system for monitoring all SSH login activity.
Why Go Beyond Standard Logs? The Power of Auditd
The Linux Auditing System, or auditd, operates at the kernel level. This is its most significant advantage. Because it hooks directly into the kernel to watch for system calls, its logs are generated before they can be intercepted by user-level processes. This makes the audit trail extremely difficult for an intruder to manipulate, even if they gain administrative privileges.
Think of auditd as a security camera watching the very core of your operating system. It provides a detailed, chronological record of security-relevant events, giving you a trustworthy source of information.
Step 1: Installing and Configuring Auditd for SSH Monitoring
First, you need to install the auditd package if it’s not already on your system.
For Debian/Ubuntu systems:
sudo apt-get update
sudo apt-get install auditd
For Red Hat/CentOS systems:
sudo yum install auditd
Once installed, the real power comes from defining specific rules. We want to tell auditd to watch for two critical things: any changes to the SSH configuration file and all connection attempts to the SSH port.
Create a new rule file specifically for SSH:
sudo nano /etc/audit/rules.d/ssh.rules
Add the following lines to this file:
# Monitor for any modifications to the SSH server configuration
-w /etc/ssh/sshd_config -p wa -k sshd_config
# Monitor connection attempts to the SSH port (port 22)
-a always,exit -F arch=b64 -S connect -F a2=110 -k ssh_connect
-a always,exit -F arch=b32 -S connect -F a2=110 -k ssh_connect
Let’s break down what these rules do:
-w /etc/ssh/sshd_config -p wa -k sshd_config: This rule places a “watch” (-w) on thesshd_configfile. It logs any write access (w) or attribute changes (a) to the file and tags these events with the keysshd_configfor easy searching. This immediately alerts you if someone tries to change your SSH security settings.- The next two lines: These rules create a log entry every time a program attempts to make a network connection (
-S connect) to port 22. We include rules for both 64-bit (b64) and 32-bit (b32) systems for comprehensive coverage. These events are tagged with the keyssh_connect. This is crucial for tracking both successful and failed login attempts, including brute-force attacks.
To apply these new rules, you must restart the auditd service:
sudo service auditd restart
You can verify that the rules are loaded correctly with the command sudo auditctl -l.
Step 2: Making Sense of the Data with Logwatch
The logs generated by auditd are incredibly detailed but can be dense and difficult to read for a quick overview. This is where Logwatch comes in. Logwatch is a powerful log analysis tool that parses your system logs and creates a clean, human-readable summary, which it can email to you daily.
Most systems have Logwatch installed, but we need to teach it how to read our custom auditd logs for SSH events. This requires creating two simple configuration files.
First, tell Logwatch where to find the audit logs. Create the following file:
sudo nano /etc/logwatch/conf/logfiles/audit.conf
Add this content:
LogFile = audit/audit.log
Archive = audit/audit.log.*.gz
*ExpandRepeats
Next, we need to provide Logwatch with a script to parse the logs and pull out the SSH events we tagged earlier. Create the service script file:
sudo nano /etc/logwatch/scripts/services/audit
Add the following Perl script to the file. This script specifically uses the ausearch command to find events tagged with our ssh_connect key and formats them for the report.
#!/usr/bin/perl
use strict;
use warnings;
my $search_for = "key=\"ssh_connect\"";
my @ausearch_output = `ausearch -i -k $search_for`;
my $sshd_hits = 0;
my %connections;
foreach my $line (@ausearch_output) {
if ($line =~ /type=SYSCALL.*comm="sshd"/) {
$sshd_hits++;
if ($line =~ /saddr=inet\s+host=([\d\.]+)/) {
$connections{$1}++;
}
}
}
if ($sshd_hits) {
print "\n SSHD connections:\n";
printf " %-15s %s\n", "IP Address", "Connections";
printf " %-15s %s\n", "---------------", "-----------";
foreach my $ip (sort keys %connections) {
printf " %-15s %d\n", $ip, $connections{$ip};
}
}
exit(0);
Finally, make this new script executable:
sudo chmod +x /etc/logwatch/scripts/services/audit
Step 3: Testing and Finalizing Your Monitoring
You can now run a manual test to see what your daily report will look like. This command tells Logwatch to process only the “audit” service for today’s logs and print the output directly to your screen instead of emailing it.
sudo logwatch --service audit --range today --output stdout
If everything is configured correctly, you will see a clean summary of all SSH connection attempts that auditd has logged, neatly organized by IP address.
SSHD connections:
IP Address Connections
————— ———–
192.168.1.101 2
10.0.5.25 14
A Proactive Approach to Server Security
By integrating auditd and Logwatch, you move from a reactive to a proactive security model. You now have a robust system that provides:
- Tamper-Resistant Logging: Kernel-level auditing ensures the integrity of your security logs.
- Detailed Event Tracking: Monitor every connection attempt to your SSH port.
- Automated Daily Reports: Receive a clean, simple summary of all SSH activity directly in your inbox.
This powerful combination gives you the visibility you need to spot unauthorized access, identify brute-force attacks early, and maintain a secure and resilient server environment. Implementing this setup is a significant step forward in hardening your infrastructure.
Source: https://infotechys.com/monitor-ssh-logins-using-auditd-and-logwatch/
