So running the following in the command line spits out the connections made via ssh to my pi
zgrep sshd /var/log/auth.log* | grep rhost | sed -re ‘s/.rhost=([^ ]+)./\1/’ | sort -u
and
cat /var/log/auth.log | grep ‘sshd.*Failed’
shows the failed login attempts via ssh.
However they do not spit out a nice single line output that HA can use. The first provides a list of IPs and the second gives something to the effect of:
“raspberrypi sshd[28359]: Failed password for pi from 192.168.1.6 port 51966 ssh2”
Is there a way to extract this data and make it readable in the HA front end? We have a failed login detection on the for the front end (link below) but I figured if I can setup sensors to monitor other intrusion methods why not.
For the latter I think I can use something similar to the failed login detection for the front end and just ask to return a value for “failed password”. However, listing the IPs that are making a connection I do not know how to do.
Having port 8123 open on my PI has resulted in a lot of activity on my router from the likes of the Ukraine and China. From what I can tell nothing has been breached but it would be nice to have some automated monitoring.