Security Alerts
Get notified about failed logins, SSH access, and suspicious activity.
Security events need fast response. Route login failures, SSH access, and suspicious activity through Alphorn so the right people are alerted immediately.
Failed SSH login attempts
Monitor /var/log/auth.log for failed login attempts:
#!/bin/bash
WEBHOOK="https://app.alphorn.dev/api/webhooks/wh_abc123"
HOSTNAME=$(hostname)
THRESHOLD=5
# Count failed attempts in the last 10 minutes
FAILURES=$(grep "Failed password" /var/log/auth.log | \
awk -v d="$(date -d '10 minutes ago' '+%b %d %H:%M')" '$0 >= d' | wc -l)
if [ "$FAILURES" -ge "$THRESHOLD" ]; then
SOURCES=$(grep "Failed password" /var/log/auth.log | \
awk -v d="$(date -d '10 minutes ago' '+%b %d %H:%M')" '$0 >= d {print $(NF-3)}' | \
sort | uniq -c | sort -rn | head -5)
curl -s -X POST "$WEBHOOK" \
-H "Content-Type: application/json" \
-d "{
\"title\": \"SSH brute force detected: $HOSTNAME\",
\"message\": \"$FAILURES failed login attempts in the last 10 minutes.\n\nTop sources:\n$SOURCES\",
\"priority\": 5,
\"tags\": [\"security\", \"ssh\", \"brute-force\", \"$HOSTNAME\"]
}"
fiSuccessful root/sudo access
Alert whenever someone gains root access:
if [ "$(id -u)" -eq 0 ]; then
curl -s -X POST "https://app.alphorn.dev/api/webhooks/wh_abc123" \
-H "Content-Type: application/json" \
-d "{
\"title\": \"Root login: $(hostname)\",
\"message\": \"User: $(logname), IP: ${SSH_CLIENT%% *}, TTY: $(tty)\",
\"priority\": 4,
\"tags\": [\"security\", \"root-login\", \"$(hostname)\"]
}" &>/dev/null &
fiApplication-level auth alerts
Notify on suspicious login patterns from your app:
async function onLoginFailed(email, ip, attempts) {
if (attempts >= 5) {
await fetch("https://app.alphorn.dev/api/webhooks/wh_abc123", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
title: `Account lockout: ${email}`,
message: `${attempts} failed login attempts from IP ${ip}`,
priority: 4,
tags: ["security", "login-failed", "lockout"],
}),
});
}
}
async function onLoginFromNewDevice(user, device, ip, location) {
await fetch("https://app.alphorn.dev/api/webhooks/wh_abc123", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
title: `New device login: ${user.email}`,
message: `Device: ${device}\nIP: ${ip}\nLocation: ${location}`,
priority: 3,
tags: ["security", "new-device"],
}),
});
}Routing examples
| Channel | Filter | Purpose |
|---|---|---|
| PagerDuty | tags CONTAINS "brute-force" | Immediate response to attacks |
| Slack (#security) | tags CONTAINS "security" | All security events |
| Telegram | tags CONTAINS "root-login" | Personal alert for root access |
tags CONTAINS "security" | Audit trail |