Today I went for my sunday walk in Berlins botanical garden.
When I exited and looked at my phone I saw the following e-mail.
1 alert for alertname=LoginAlert
View In Alertmanager
[1] Firing
Labels
alertname = LoginAlert
host = abeto
severity = info
Annotations
message = SSH login detected on abeto for user from .
title = SSH login detectedWhile pretty calm about it - I was just going on my walk after all - this was still unusual, so I followed the standard playbook.
Plan
- Login to the hosters WebUI and immediately “pull the plug” on the server. No graceful shutdown, immediate shut-off. Done before I came home.
- Look at the exact Alert syntax
- Figure out which Log triggered it
Execution
- was very easy on the Hetzner UI
- looks like this:
expr: sum by (host, user, ip) (count_over_time({job="systemd-journal", unit="sshd.service"} |~ "Accepted" | regexp "Accepted \\S+ for (?P<user>\\S+) from (?P<ip>\\S+)" [1m])) > 0 2026-06-07 12:55:52.263INFOuserauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
So, as it turns out it was just a false alarm.
Follow up Fix
Change the alert query to not fall for that one again. I opted for a simple added behind the first Accepted filter.
Stats
- Time to fix: 1 hour
- E-Mail read 30 Minutes after alert triggered.
- 15 Minutes to get home
So it took a total of 15 minutes for the actual fix. Thanks to Loki, Grafana and alertmanager
Learnings
Don’t panic, trust the process.
Oh yeah, also you should invest some time into keeping your logs somewhere and have some alerts. 100% worth it.