No Account Needed Free & Open Source

SSH & Login
Attack Alerter.

Sentinel watches auth.log and journald for SSH brute-force attacks, failed logins, and suspicious authentication patterns. When something happens, you get an alert — Slack, Telegram, Discord, or webhook. Lightweight, zero dependencies, open source.

View on GitHub Try HostAtlas free

$ curl -sSL https://install.hostatlas.app/sentinel | bash_

bash — server-01

$ sentinel watch

✓ Watching /var/log/auth.log

Threshold: 5 attempts / 5 min

Channels: slack, telegram

[14:23:01] Tracking 45.142.120.71 (2 failures)

[14:23:18] Tracking 45.142.120.71 (4 failures)

[14:23:32] ALERT — 45.142.120.71 — 6 failures in 31s

→ Slack: sent ✓

→ Telegram: sent ✓

[14:25:01] Tracking 185.224.128.55 (1 failure)

What It Does

Monitors auth.log. Alerts on attacks.

Sentinel is a single binary that tails your authentication logs for SSH brute-force attempts, failed passwords, and invalid user logins. When a threshold is hit, it fires an alert instantly.

shield

SSH Brute-Force Detection

Watches for repeated failed SSH login attempts from the same IP. Configurable threshold and time window to match your security policy.

description

auth.log & journald

Works with traditional /var/log/auth.log and systemd journald. Auto-detects which log source is available on your system.

bolt

Instant Alerts

Real-time tail, no polling. Alerts fire within seconds of detection. Supports Slack, Telegram, Discord, and generic webhooks.

memory

Lightweight

Single binary under 5 MB. Runs as a systemd service with minimal CPU and memory footprint. No runtime dependencies.

tune

Configurable Thresholds

Set the number of failed attempts and time window before an alert fires. Whitelist trusted IPs to avoid false positives.

code

Open Source

MIT licensed. Audit the code, contribute, or fork it. Built with transparency as a core principle.

Configuration

One YAML file. Done.

Sentinel reads a single YAML config file. Set your alert channels, thresholds, and whitelist. The installer creates a default config automatically.

# /etc/sentinel/config.yml log_source: auto thresholds: failed_attempts: 5 time_window: "5m" whitelist: - "10.0.0.0/8" - "192.168.1.0/24" alerts: slack: webhook_url: "https://hooks.slack.com/..." telegram: bot_token: "123456:ABC..." chat_id: "-1001234567"

Alert Format

Clear, actionable alerts.

Every alert includes the attacking IP, number of attempts, target users, time window, and GeoIP data when available.

SSH Brute-Force Detected Server: web-prod-01 IP: 45.33.32.156 Location: Amsterdam, NL Attempts: 23 in 2m 14s Users: root, admin, ubuntu Status: Active — still attempting Detected at 2026-04-16 03:42:18 UTC

Install

One command. Running in seconds.

The installer downloads the binary, creates a default config, and starts the systemd service. Works on any Linux distribution with systemd.

$ curl -sSL https://install.hostatlas.app/sentinel | bash ✓ Detected platform: linux/amd64 ✓ Downloaded sentinel v1.0.0 ✓ Installed to /usr/local/bin/sentinel ✓ Created config: /etc/sentinel/config.yml ✓ Started systemd service: sentinel.service ✓ Sentinel is now monitoring auth.log

github.com/akyroslabs/hostatlas-sentinel →

The Complete Picture

Sentinel shows you attacks. HostAtlas shows you the complete picture.

Sentinel alerts on SSH attacks. HostAtlas gives you full server monitoring, incident management, firewall control, Under Attack Mode with multi-layer banning, and AI-powered threat analysis — all from one platform.

Start free — no credit card Learn about Attack Mode

SSH & Login Attack Alerter.