Alert on multiple ssh root sessions

tor · November 3, 2021, 4:03pm

Description of your problem

I am trying to alert on 4 or more failed ssh root attempts into systems.

Description of steps you’ve taken to attempt to solve the issue

I have found 2 filters

message:“sshd” AND “authentication failure”
This one only alerts after I have tried my root password 3 times and then sends 1 alert rather than 3 but this one does show me a field for user “root” which i can filter on.
message:“ssh2” AND “Failed password for root from”
This one logs everytime I do a failed password which is good because then i can set a aggregation for >=4. But no specific field for user because the user root is in the message.

I would like the use of the best of both filters. So that I get a user and it logs everytime a failed password has happened so that I can set an alert to notify aggregate for >=4 then send an email.

Operating system information

CentOS 7.9

Package versions

Graylog 4.2.0

gsmith · November 4, 2021, 2:39am

@tor

I did a mockup of something I have in my environment but I combine two streams for my Alert definition.

You can add fields if you like to enhance your alerts, also I have macro’s in my notification template that show who and what failed.
Hope that helps

system · November 18, 2021, 2:40am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.