🔐 SSH Authentication Monitoring Dashboard (Splunk)

🚀 Real-Time SSH Security Monitoring • Brute-Force Detection • Geo-Attack Visualization

📌 Objective

The objective of this project is to design and implement a Splunk dashboard for monitoring SSH authentication activity on Linux servers. The dashboard helps security analysts:

• Monitor total SSH activity
• Track successful and failed login attempts
• Detect brute-force attacks
• Visualize attack origins using geo-location data

This dashboard is designed with consistent time filtering and security-focused visualizations for effective threat detection.

---

🧪 Lab Setup

Prerequisites

• Splunk Enterprise / Splunk Free

• SSH log data ingested in JSON format

• Indexed SSH log files:

  • ssh_logs.json
  • ssh_logs_new.json

• Linux servers:

  • LinuxServer
  • LinuxNew

---

⏱️ Task 0: Setting Up Time Range

Goal

Ensure consistent time filtering across all dashboard panels.

Steps

1. Click Add Time Range Button

2. Click Add Input

3. Select Time

4. Click the Pencil Icon

5. Set:

   • Label: Time Range
   • Token: time_range

6. Click Add Input

7. Select Submit

⚠️ Note: For all future panels, set the Time Picker to time_range for consistency.

---

🔐 Task 1: Authentication Overview Panels

Goal

Provide a quick overview of SSH authentication activity.

---

1️⃣ Total SSH Events

• Panel Type: Single Value
• Time Picker: time_range
• Title: Total SSH Events

Search Query:

source="ssh_logs.json" host="LinuxServer" sourcetype="_json"
| stats count AS "Total SSH Events"

---

2️⃣ Successful Logins

• Panel Type: Single Value
• Time Picker: time_range
• Title: Successful Logins

Search Query:

source="ssh_logs.json" host="LinuxServer" sourcetype="_json" event_type="Successful SSH Login"
| stats count AS "Successful Logins"

---

3️⃣ Failed Logins

• Panel Type: Single Value
• Time Picker: time_range
• Title: Failed Logins

Search Query:

source="ssh_logs.json" host="LinuxServer" sourcetype="_json" event_type="Failed SSH Login"
| stats count AS "Failed Login"

---

4️⃣ Connection Without Authentication (Invalid Users)

• Panel Type: Single Value
• Time Picker: time_range
• Title: Invalid User Attempts

Search Query:

index=auth "sshd" "invalid user"
| stats count AS "Invalid User Attempts"

---

📈 Task 2: Login Activity Trends

Goal

Analyze login patterns over time and detect anomalies or attack behavior.

---

1️⃣ Failed Logins by Username

• Panel Type: Bar Chart
• Time Picker: time_range
• Title: Failed Logins by Username

Search Query:

source="ssh_logs_new.json" host="LinuxNew" sourcetype="_json" event_type="Failed SSH Login"
| top username

---

2️⃣ Possible Brute Force Attempts by IP Address

• Panel Type: Statistics Table
• Time Picker: time_range
• Title: Possible Brute Force by IP Address

Search Query:

source="ssh_logs_new.json" host="LinuxNew" sourcetype="_json" event_type="Multiple Failed Authentication Attempts"
| top id.orig_h

---

🌍 Task 3: Visualizing Brute Force Attacks Using Geo-Location

Goal

Identify geographical sources of brute-force SSH attacks.

---

1️⃣ Brute Force Attack with Geo-Location

• Panel Type: Choropleth Map
• Time Picker: time_range
• Title: Brute Force Attack with Geo-Location

Search Query:

source="ssh_logs_new.json" host="LinuxNew" sourcetype="_json" event_type="Multiple Failed Authentication Attempts"
| table id.orig_h
| iplocation id.orig_h
| stats count by Country
| geom geo_countries featureIdField="Country"

---

🚀 Key Outcomes

• Centralized SSH authentication monitoring
• Early detection of brute-force attacks
• Improved visibility using geo-location analysis
• Consistent time-based analysis across panels

---

🛡️ Security Use Case

This dashboard can be used by:

• SOC Analysts
• Blue Teams
• System Administrators
• Cybersecurity Students

to detect unauthorized access attempts and respond to SSH-based attacks efficiently.