Parse log file and send attempted logins to MySQL server
When I saw a huge amount of failed login attempts in my SSH logs, I wanted a way to get more information. I started out only mapping IPs using geolocation data and now the map is more interactive with links to Shodan and more statistics. This project is made up of a server and sensor, both of which use the same SQL database. I also created a self-contained version here though it is not maintained.
The MySQLdb Python module is required to connect to a MySQL server.
Windows platforms can install it from here
Ubuntu systems can install it with apt using
sudo apt-get install python-mysqldb
RPM systems can install it with
yum install MySQL-python
Fedora can install it with
dnf install python-mysql
macOS can install it using these steps
Amazon Linux can install it with
sudo yum install mysql-devel python-devel MySQL-python
This is the same database as referenced in the Mapper Server documentation.
Change the variables in
sensor_vars.py to connect to a database.
HOSTNAME gives a name to the sensor. It does not need to be the machine's actual hostname. If it is left as None the default value will be 'Anonymous' in the database.
DB_URL is the FQDN or IP address of the database server.
DB_USER and DB_PASSWD are the credentials required to use the database.
DB_TABLE is the database the sensor will use.
AUTH_FILE is the file the sensor parses.
LOG_SUCCESSES does not log successful login attempts so that they are not mapped. If you wish to include successful logins, set this variable to anything except None and 0.
Update Script Configuration
LS_USER user the script should run as.
LS_LOC location the sensor was installed at.
Set a root crontab to run the sensor update.
sudo crontab -e 0 * * * * /opt/Log-Sensor/update.sh
Change the location from
/opt/ if you cloned it somewhere else.