Beyond the App: Monitoring SSH Brute Force (Port 22) with LiteSOC
Learn how to bridge the gap between infrastructure and application security by monitoring SSH brute force attacks using LiteSOC
When we talk about Security Observability, most founders focus entirely on their web application—login pages, password resets, and API endpoints. But there is a "back door" that almost every startup has, which is often left in the dark: The SSH Port (Port 22).
While Cloudflare protects your front gate, and LiteSOC monitors your "living room" (your app), your server's SSH port is constantly being hammered by botnets from around the world.
In this post, we’ll show you how to use LiteSOC to shine a light on your infrastructure security.
The Problem: The Invisible Hammer
If you run a Linux server (AWS, DigitalOcean, Vercel doesn't count as it's managed), your /var/log/auth.log is likely filled with thousands of "Failed password" entries. These are automated scripts trying to guess your root password.
Standard tools like Fail2Ban are great for blocking these IPs, but they lack Visibility:
- You don't know where the attacks are coming from visually.
- You don't have a unified timeline showing if the same IP attacking your SSH is also attacking your App.
- You don't get Behavioral Alerts (like an admin successfully logging in from a new country).
The Solution: LiteSOC as a Host-Based "Spy"
Since LiteSOC is API-first, it doesn't care if the "event" comes from a JavaScript app or a Linux Bash script. We can turn your server into a LiteSOC "sensor" in under 2 minutes.
Step 1: The "Log Watcher" Script
On your Linux server, you can create a simple script that "tails" your authentication logs and forwards failures to LiteSOC.
Create a file named litesoc-monitor.sh:
#!/bin/bash
# Your LiteSOC API Key
API_KEY="lsoc_live_your_key_here"
# Watch the auth log for failed passwords
tail -F /var/log/auth.log | grep --line-buffered "Failed password" | while read line; do
# Extract the IP address using Regex
IP=$(echo $line | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | head -1)
# Send to LiteSOC Ingestion API
curl -X POST https://api.litesoc.io/collect \
-H "Content-Type: application/json" \
-H "X-API-Key: $API_KEY" \
-d "{
\"events\": [{
\"event_name\": \"auth.login_failed\",
\"actor_id\": \"ssh-daemon\",
\"user_ip\": \"$IP\",
\"metadata\": {
\"service\": \"ssh\",
\"raw_log\": \"$line\",
\"port\": 22
}
}]
}"
Step 2: Run in Background
Run this script using nohup or a systemd service to ensure it monitors your server 24/7.
Why This is a Game Changer
1. Visual Forensic Maps
Instead of reading a text file, you can now open your LiteSOC Dashboard and see a heatmap of which countries are currently trying to brute-force your server. Seeing a cluster of red dots in a country you don't operate in is an immediate signal to harden your firewall.
2. Behavioral AI for Admins
This is the most powerful part. If you (the Admin) usually log in from Malaysia, and suddenly there is a Successful SSH Login from an IP in Russia, LiteSOC’s Impossible Travel engine will trigger. You will receive an instant alert on Slack:
🚨 CRITICAL: Impossible Travel detected for ssh-daemon. User logged in from Russia 2 minutes after being in Malaysia.
3. Unified Security Posture
By sending server logs to LiteSOC, you get a single Security Health Score that reflects your entire stack. You can correlate data: "Is the IP attacking my SSH the same one that tried to brute-force my WordPress login earlier?"
Conclusion
Security shouldn't be fragmented. By bridging the gap between your server's raw logs and LiteSOC’s intelligent dashboard, you move from "guessing" your security status to "knowing" it. Stop letting Port 22 be a blind spot. Integrate your server logs with LiteSOC today.
New to LiteSOC? Start your 14-day Pro Trial for free.
Stay Updated
Get the latest security insights and product updates delivered to your inbox. No spam, unsubscribe anytime.