Monitor Remote Server File Integrity with SSH and Slack Alerts

Created by

Marth

Last update

Last update 24 days ago

How It Works: The 5-Node Security Flow

This workflow efficiently performs a scheduled file integrity audit.

This is the workflow's trigger. It schedules the workflow to run at a specific, regular interval.

Function: Continuously runs on a set schedule, for example, daily at 3:00 AM.
Process: The Cron node automatically initiates the workflow on its schedule, ensuring consistent file integrity checks without manual intervention.

This node acts as your static database, defining which files to monitor and their known-good checksums.

Function: Stores the file paths and their verified checksums in a single, easy-to-update array.
Process: It configures the file paths and their valid checksums, which are then passed on to subsequent nodes for processing.

This node connects to your remote server to get the current checksum of the file being monitored.

Function: Executes a command on your server via SSH.
Process: It runs a command like sha256sum /path/to/file on the server. The current checksum is then captured and passed to the next node for comparison.

This is the core detection logic. It compares the newly retrieved checksum from the server with the known-good checksum you stored.

Function: Compares the two checksum values.
Process: If the checksums do not match, it indicates a change in the file, and the workflow is routed to the notification node. If they do match, the workflow ends safely.

These nodes represent the final action of the workflow.

Function: Responds to a detected file change.
Process: If the checksums don't match, the Slack node sends a detailed alert with information about the modified file, the expected checksum, and the detected checksum. If the checksums match, the No-Op node ends the workflow without any notification.

Implementing this essential cybersecurity monitor in your n8n instance is quick and straightforward.

Before building the workflow, ensure all necessary accounts are set up and their credentials are ready.

SSH Credential: Set up an SSH credential in n8n with your server's hostname, port, and authentication method (e.g., private key or password). The SSH user must have permission to run sha256sum on the files you want to monitor.
Slack Credential: Set up a Slack credential in n8n and note the Channel ID of your security alert channel (e.g., #security-alerts).
Get Checksums: This is a critical step. Manually run the sha256sum [file_path] command on your server for each file you want to monitor. Copy and save the generated checksum values—these are the "known-good" checksums you will use as your reference.

Get the workflow structure into your n8n instance.

Import: In your n8n instance, navigate to the "Workflows" section. Click the "New" or "+" icon, then select "Import from JSON." Paste the provided JSON code into the import dialog and import the workflow.

Customize the imported workflow to fit your specific monitoring needs.

Scheduled Check (Cron): Set the schedule according to your preference (e.g., daily at 3:00 AM).
List Files & Checksums (Code): Open this node and edit the filesToCheck array. Enter your actual server file paths and paste the "known-good" checksums you manually obtained in step 1.
Get Remote File Checksum (SSH): Select your SSH credential.
Send Alert (Slack): Select your Slack credential and replace YOUR_SECURITY_ALERT_CHANNEL_ID with your actual Channel ID.

Verify that your workflow is working correctly before setting it live.

Manual Test: Run the workflow manually. Verify that it connects to the server and checks the files without sending an alert (assuming the files haven't changed).
Verify: To test the alert, manually change one of the files on your server and run the workflow again. Check your Slack channel to ensure the alert is sent correctly.
Activate: Once you're confident in its function, activate the workflow. n8n will now automatically audit the integrity of your critical files on the schedule you set.