Responding to Invalid SSH Logins

Length: 00:18:21

Lesson Summary:

In this lesson, we'll explore a real-world scenario in which an EC2 instance is experiencing multiple failed SSH logins, and we want to automatically take the instance offline in response to this potential security event.

Use the Web Server Log Group and the Invalid SSH Login metric filter to trigger a CloudWatch alarm set for 2 data points within 1 minute.

This alarm should publish to an alarm notification SNS topic and send you an email as well as trigger the Lambda function to stop the instance.

Configure the EC2 Instance

  • The EC2 instance must have an IAM role that can communicate with both CloudWatch and Systems Manager.

Create an IAM Instance Role

  1. Select IAM > Create Role > AWS Service > EC2 > Next: Permissions.

  2. Select the CloudWatchAgentAdminPolicy managed policy.

  3. Select the AmazonEC2RoleforSSM managed policy.

  4. Name the role "CloudWatchAgentAdminRole".

Launch the EC2 Instance

  1. Select Amazon Linux 2.

  2. Create or select a security group with SSH (port 22) open to the public (

Attach the IAM Role to the Instance

  1. Assign the CloudWatchAgentAdminRole IAM role to the EC2 instance.

Install CloudWatch Agent using Systems Manager

  • Run command: AWS-ConfigureAWSPackage
  • Action: Install
  • Name: AmazonCloudWatchAgent

Configure the CloudWatch Agent

  1. Run the CloudWatch Agent Configuration Wizard.

  2. Create a new session using SSM Session Manager.

     sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard

    Note: Do not select CollectD, unless you already installed it using sudo yum install collectd.

  3. Specify /var/log/secure at the "Do you want to monitor any log files?" prompt.

Validate the Configuration

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json -s

Create an SNS Topic

  • The CloudWatch Alarm will notify this topic, and the topic will trigger the Lambda function.

  • Topic name: AlarmNotificationTopic

Configure the CloudWatch Alarm

Add a Metric Filter to the Web Server Log Group

  1. Click Secure log group.

  2. Click Create metric filter.

    Filter pattern: [Mon, day, timestamp, ip, id, status = Invalid*]

  3. Click Test pattern.

  4. Click Assign metric.

    • Filter name: InvalidSSHLogin

    • Metric namespace: SSH

    • Metric name: InvalidSSHLogin

  5. Click Create filter.

Create Alarm

  • Metric filter: SSH/InvalidSSHLogin
  1. Click Create alarm.

    • Name: InvalidSSHLoginAlarm
    • Description: Invalid login attempts >2 in 1 min for instance \

Note: The description is critical, as the instance ID at the end is used by the Lambda function to stop the instance.

Whenever InvalidSSHLogin >= 2 for 1 out of 1 datapoints

Subscribe to the SNS Topic

  1. Select AlarmNotificationTopic and click Create alarm.

Create IAM Role for Lambda Function

  1. Create the role LambdaStopInstances using policy lambda_execution_role.json.

Create Lambda function

  • Name: StopInstance
  • Role: StopInstancesRole

Trigger Lambda from SNS

  1. Select Trigger > SNS > AlarmNotificationTopic.

Trigger the CloudWatch Alarm

  1. Make 3 invalid SSH login attempts within 2 minutes.

  2. Verify that the secure log contains the Invalid user string.

  3. Verify that the CloudWatch alarm is set.

  4. Verify that the CloudWatch Log for the Lambda function ran.

  5. Verify that the EC2 instance is stopped.

This lesson is only available to Linux Academy members.

Sign Up To View This Lesson

Or Log In

Looking For Team Training?

Learn More