SecuFlow is an AI-powered security automation workflow built with n8n.
It monitors SSH login attempts in real time, detects suspicious patterns,
and allows a human-in-the-loop Telegram approval before blocking attackers.
- 🔍 Real-Time SSH Monitoring
Pulls live SSH logs via secure SSH commands. - 🤖 AI Threat Analysis
Uses Groq LLM to generate a 2–3 line risk summary of detected IPs. - 📊 Automated Threshold Detection
Counts failed attempts per IP and flags any IP with >3 failures. - 👨💻 Human Approval
Sends a Telegram alert with YES/NO options before executing firewall rules. - 🔒 Active Defense
Executesufwcommands via SSH to block malicious IPs instantly.
- n8n – Workflow automation engine
- Groq LLM (Llama 3.1) – AI risk analysis
- Telegram Bot API – Human-in-the-loop decision making
- SSH (UFW) – Remote firewall command execution
- Fetch SSH logs (
journalctl) from target server. - Parse logs (Python node) → Extract timestamp, user, IP, status.
- Count failed attempts per IP (JavaScript node).
- If failures > 3 → pass IP to Groq LLM for a brief attack summary.
- Send Telegram alert → Admin replies YES or NO.
- On YES, run
sudo ufw deny from <ip>to block the attacker.
Below are key screenshots showing SecuFlow in action.
- Import
workflow.jsoninto n8n. - Add credentials:
- SSH Private Key (to access the target server)
- Groq API Key
- Telegram Bot Token + Chat ID
- Deploy n8n and activate the workflow.