Search for common phrases related to SSH logins
Papertrail is good for all types of things, I especially enjoy it because it makes finding problems quite easy. Another fun thing to do with Papertrail is see how many people are trying to either login to your server via ssh, or attack sshd itself.
Find Potential Break-In Attempts
You can save searches in Papertrail, which makes finding certain events extremely easy. When I want to see potential break-in attempts, I have a saved search for
not listed in AllowUsers. My server names have been blacked out in the image below.
Show All sshd Associated Event Logs
To see all events associated with sshd, you can save a search for
program:sshd. This will show all log entries generated by sshd. Again, server names have been censored.
Papertrail has groups that you can put your servers into. Saved searches can be applied to a specific group of servers, or all servers. It’s really quite nice, especially if you have a server that almost nobody ever logs in to. Papertrail also lets you know the last time a log message was received from a server. For most servers, the last log event will have been
Receive Alerts for Saved Searches
One of the best features are the alerts on saved searches. If you have a server that nobody but you logs into but you, you can setup an alert for when someone logs in via SSH. Most of the time the alert will just be you logging in, but this is excellent information to have if someone else does manage to login. Someone could have obtained your private key or your password.
You can specify the minimum number of events needed before the alert is activated. I’ve got an alert setup that sends me an email after my public key has been accepted 20 times. The alert is sent once an hour. I have the minimum number of events so high because I login frequently with FileZilla and make small edits to files, which causes a lot of SSH logins.
If you have to manage any servers at all, you might as well give Papertrail a try. They have a free plan that lasts forever. If you find that you need more than 100MB of log storage space, you can get 1GB for $5 per month, which is plenty for most folks. $5 only includes 1 day of log retention, $7 per month gets you a week of log retention.
Well, now what?
Work with Me
I'm available for hire and always taking new clients, big and small. Got a project or an idea you'd like to discuss? Startup plan but no developer to make it happen? Just get in touch, I'd love to see if I can help you out!
Leave some Feedback
Got a question or some updated information releavant to this post? Please, leave a comment! The comments are a great way to get help, I read them all and reply to nearly every comment. Let's talk. 😀