Monitoring SSH login attempts and geolocating remote hosts who failed to login and gathering used credentials.
The main idea is that you don't use default SSH port to connect to your remote server/VPS. This Docker Compose configuration maps fake server's port 22 to Docker host's public IP and stores unsuccesful login details in Postgres database:
| id | ip_version | ip_address | latitude | longitude | country_name | country_code | time_zone0 | zip_code | city_name | region_name | is_proxy | continent | continent_code | user | password | timestamp |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 35086 | 4 | 180.101.88.252 | 31.311365 | 120.617691 | China | CN | +08:00 | 215003 | Suzhou | Jiangsu | false | Asia | AS | root | nathalie | 2024-02-28 14:31:56.356 +0100 |
| 35085 | 4 | 180.101.88.252 | 31.311365 | 120.617691 | China | CN | +08:00 | 215003 | Suzhou | Jiangsu | false | Asia | AS | root | dfvgbh | 2024-02-28 14:31:56.043 +0100 |
| 35084 | 4 | 180.101.88.252 | 31.311365 | 120.617691 | China | CN | +08:00 | 215003 | Suzhou | Jiangsu | false | Asia | AS | root | jlo | 2024-02-28 14:30:55.356 +0100 |
| 35083 | 4 | 180.101.88.252 | 31.311365 | 120.617691 | China | CN | +08:00 | 215003 | Suzhou | Jiangsu | false | Asia | AS | root | egk | 2024-02-28 14:30:53.744 +0100 |
| 35082 | 4 | 180.101.88.252 | 31.311365 | 120.617691 | China | CN | +08:00 | 215003 | Suzhou | Jiangsu | false | Asia | AS | root | 1qaz2wsx@ | 2024-02-28 14:30:53.397 +0100 |
Example docker-compose.yml (see docker-compose.example.yml)
Don't forget to generate private_key.pem first using following command:
openssl genrsa -out private_key.pem 4096name: geopot services: geopot-timescaledb: image: timescale/timescaledb:latest-pg17 container_name: geopot-timescaledb environment: - POSTGRES_DB=geopot - POSTGRES_USER=geopot - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - PGDATA=/pgdata volumes: - timescaledb_data:/pgdata restart: always geopot-valkey: image: valkey/valkey:latest container_name: geopot-valkey command: /bin/sh -c "redis-server --requirepass ${VALKEY_PASSWORD}" volumes: - valkey_data:/data restart: always geopot: image: ghcr.io/jsfraz/geopot:latest container_name: geopot depends_on: - geopot-timescaledb - geopot-valkey environment: - GIN_MODE=release - POSTGRES_USER=geopot - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - POSTGRES_SERVER=geopot-timescaledb - POSTGRES_PORT=5432 - POSTGRES_DB=geopot - VALKEY_PASSWORD=${VALKEY_PASSWORD} - VALKEY_SERVER=geopot-valkey - VALKEY_PORT=6379 ports: - "22:2222" - "127.0.0.1:8080:8080" volumes: - ./private_key.pem:/app/private_key.pem - /etc/localtime:/etc/localtime:ro restart: always networks: geopot: name: geopot volumes: timescaledb_data: valkey_data:And build with sudo docker compose up -d!
For deploying behind a reverse proxy see nginx configuration.
Example .env environmental variables (see .env.example)
| Variable | Description |
|---|---|
| GIN_MODE | Production/debug mode |
| POSTGRES_USER | PostgreSQL user |
| POSTGRES_PASSWORD | PostgreSQL password |
| POSTGRES_SERVER | PostgreSQL server |
| POSTGRES_PORT | PostgreSQL port |
| POSTGRES_DB | PostgreSQL database |
| VALKEY_PASSWORD | Valkey password |
| VALKEY_SERVER | Valkey server |
| VALKEY_PORT | Valkey port |
sudo docker compose -f docker-compose.dev.yml --env-file .env.dev up -d --build./test.sh number_of_attemptsSwagger UI is available at http://localhost:8080/swagger after starting development mode.