{ "id": "amcM1ga8xVDcFEbm", "meta": { "templateCredsSetupCompleted": true }, "name": "ProcessMonitor2", "tags": [], "nodes": [ { "id": "bf0b5b25-747c-4b66-bafd-a0f310bbbf0e", "name": "Schedule Trigger - Every 6 Hours", "type": "n8n-nodes-base.scheduleTrigger", "position": [ 448, 80 ], "parameters": { "rule": { "interval": [ { "field": "hours", "hoursInterval": 6 } ] } }, "typeVersion": 1.2 }, { "id": "a7e0d406-e475-465f-911a-0620af584b40", "name": "SSH - Gather Process and Network Data", "type": "n8n-nodes-base.ssh", "position": [ 896, 80 ], "parameters": { "cwd": "/root", "command": "ps aux --sort=-%cpu,-%mem && ss -tulpn > /vps_process_report.txt" }, "credentials": { "sshPassword": { "name": "" } }, "typeVersion": 1 }, { "id": "0ecfd207-80f9-40b8-b3fb-dd9fff548ba4", "name": "AI Security Analysis", "type": "@n8n/n8n-nodes-langchain.chainLlm", "position": [ 1072, 80 ], "parameters": { "text": "=You are a security analyst AI. I will provide you with a list of running processes and open network ports from a Linux VPS. Your task:\n\n1. Identify any processes, commands, or connections that appear suspicious, malicious, or unusual.\n2. Explain why you think they are suspicious (e.g., known malware patterns, unusual network connections, strange process names, or abnormal resource usage).\n3. Focus on: cryptocurrency miners, botnet activity, unauthorized network services, suspicious shell processes, or processes with unusual resource consumption.\n4. Provide structured output with malicious and suspicious findings separately.\n\nHere is the process and network information:\n\n {{ $json.stdout }}", "batching": {}, "promptType": "define", "hasOutputParser": true }, "typeVersion": 1.7 }, { "id": "d8f6c690-69f0-4c06-836b-025f590bafe2", "name": "Parse Security Analysis Results", "type": "@n8n/n8n-nodes-langchain.outputParserStructured", "position": [ 1216, 288 ], "parameters": { "schemaType": "manual", "inputSchema": "{\n\t\"type\": \"object\",\n\t\"properties\": {\n\t\t\"malicious\": {\n\t\t\t\"type\": \"string\",\n\t\t\t\"description\": \"List of confirmed malicious processes or activities\"\n\t\t},\n \"malicious_explain\": {\n\t\t\t\"type\": \"string\",\n\t\t\t\"description\": \"Detailed explanation of why these are considered malicious\"\n\t\t},\n\t\t\"suspicious\": {\n\t\t\t\"type\": \"string\",\n\t\t\t\"description\": \"List of potentially suspicious but not confirmed malicious activities\"\n\t\t},\n \"suspicious_explain\": {\n\t\t\t\"type\": \"string\",\n\t\t\t\"description\": \"Explanation of suspicious findings that need investigation\"\n\t\t},\n\t\t\"status\": {\n\t\t\t\"type\": \"string\",\n\t\t\t\"description\": \"Overall security status: clean, suspicious, or compromised\"\n\t\t}\n\t}\n}" }, "typeVersion": 1.3 }, { "id": "3d63a352-f7f9-48c1-b2f2-e1d45103eee6", "name": "OpenAI GPT-4 Mini Model", "type": "@n8n/n8n-nodes-langchain.lmChatOpenAi", "position": [ 1056, 272 ], "parameters": { "model": { "__rl": true, "mode": "list", "value": "gpt-4o-mini", "cachedResultName": "gpt-4o-mini" }, "options": { "temperature": 0.1 } }, "credentials": { "openAiApi": { "name": "" } }, "typeVersion": 1.2 }, { "id": "4549adf6-770e-427f-9080-b662ee7f1d18", "name": "Check for Malicious Activity", "type": "n8n-nodes-base.if", "position": [ 1408, 80 ], "parameters": { "options": {}, "conditions": { "options": { "version": 2, "leftValue": "", "caseSensitive": true, "typeValidation": "strict" }, "combinator": "and", "conditions": [ { "id": "7a3a5d70-a8bc-4f03-b83e-20812b36c82e", "operator": { "type": "string", "operation": "notEmpty", "singleValue": true }, "leftValue": "={{ $json.output.malicious }}", "rightValue": "" } ] } }, "typeVersion": 2.2 }, { "id": "d77d0b4d-bcc3-4ec3-bef0-f08a17139f58", "name": "Check for Suspicious Activity", "type": "n8n-nodes-base.if", "position": [ 1408, 288 ], "parameters": { "options": {}, "conditions": { "options": { "version": 2, "leftValue": "", "caseSensitive": true, "typeValidation": "strict" }, "combinator": "and", "conditions": [ { "id": "suspicious-check", "operator": { "type": "string", "operation": "notEmpty", "singleValue": true }, "leftValue": "={{ $json.output.suspicious }}", "rightValue": "" } ] } }, "typeVersion": 2.2 }, { "id": "ab56fd12-7e17-4b00-802b-dda2eb704e26", "name": "Send Malicious Activity Alert", "type": "n8n-nodes-base.telegram", "position": [ 1632, 0 ], "parameters": { "text": "=\ud83d\udea8 **SECURITY ALERT - MALICIOUS ACTIVITY DETECTED** \ud83d\udea8\n\n**Server:** {{ $('Configuration - User Settings').first().json.server_name }}\n**Time:** {{ new Date().toLocaleString() }}\n\n**\u26a0\ufe0f Malicious Processes:**\n{{ $json.output.malicious }}\n\n**\ud83d\udccb Analysis:**\n{{ $json.output.malicious_explain }}\n\n**\ud83d\udd0d Overall Status:** {{ $json.output.status }}\n\n**Action Required:** Immediate investigation recommended!", "chatId": "={{ $('Configuration - User Settings').first().json.admin_telegram_id }}", "additionalFields": { "parse_mode": "Markdown" } }, "credentials": { "telegramApi": { "name": "" } }, "typeVersion": 1.2 }, { "id": "d707188d-f89f-4cc8-9b5c-3a33966669d1", "name": "Send Suspicious Activity Notice", "type": "n8n-nodes-base.telegram", "position": [ 1632, 288 ], "parameters": { "text": "=\u26a0\ufe0f **Security Notice - Suspicious Activity** \u26a0\ufe0f\n\n**Server:** {{ $('Configuration - User Settings').first().json.server_name }}\n**Time:** {{ new Date().toLocaleString() }}\n\n**\ud83d\udd0d Suspicious Processes:**\n{{ $json.output.suspicious }}\n\n**\ud83d\udccb Analysis:**\n{{ $json.output.suspicious_explain }}\n\n**Status:** {{ $json.output.status }}\n\n**Recommendation:** Monitor closely and investigate if needed.", "chatId": "={{ $('Configuration - User Settings').first().json.admin_telegram_id }}", "additionalFields": { "parse_mode": "Markdown" } }, "credentials": { "telegramApi": { "name": "" } }, "typeVersion": 1.2 }, { "id": "0c82a50c-abba-4010-aecd-6c53636a5b2a", "name": "Configuration - User Settings", "type": "n8n-nodes-base.set", "position": [ 656, 80 ], "parameters": { "options": {}, "assignments": { "assignments": [ { "id": "f30b7286-9424-4150-960c-925578bf143a", "name": "admin_telegram_id", "type": "string", "value": "YOUR_TELEGRAM_CHAT_ID" }, { "id": "server-name-field", "name": "server_name", "type": "string", "value": "Production VPS" }, { "id": "alert-level-field", "name": "alert_level", "type": "string", "value": "high" } ] } }, "typeVersion": 3.4 }, { "id": "5b19a69a-1931-4e92-ae68-a56d0b045c7c", "name": "Sticky Note - Main Explanation", "type": "n8n-nodes-base.stickyNote", "position": [ -64, -528 ], "parameters": { "width": 420, "height": 844, "content": "## \ud83d\udd10 VPS Security Monitor with AI Analysis\n\nThis workflow automatically monitors your VPS for security threats using AI analysis and sends alerts via Telegram.\n\n### \ud83d\udccb How it works:\n1. **Scheduled Monitoring**: Runs every 6 hours (customizable)\n2. **SSH Data Collection**: Gathers process and network information\n3. **AI Security Analysis**: Uses OpenAI GPT-4 Mini to identify threats\n4. **Smart Alerting**: Only sends notifications for actual threats\n\n### \u2699\ufe0f Configuration Required:\n- Update SSH credentials in \"SSH - Gather Process and Network Data\" node\n- Add OpenAI API key in \"OpenAI GPT-4 Mini Model\" node \n- Set your Telegram chat ID in \"Configuration - User Settings\"\n- Add Telegram bot token in alert nodes\n\n### \ud83c\udfaf Features:\n- Detects malware, cryptocurrency miners, botnet activity\n- Monitors unusual network connections and resource usage\n- Structured AI analysis with clear explanations\n- Separate alerts for malicious vs suspicious activity\n\n### \ud83d\udca1 Customization:\n- Adjust monitoring frequency in Schedule Trigger\n- Modify AI prompt for specific security concerns\n- Add multiple servers by duplicating SSH nodes\n- Extend with email/Slack notifications" }, "typeVersion": 1 }, { "id": "48ea074a-a297-412d-baa7-e0c4e429deb7", "name": "Sticky Note - Step 1", "type": "n8n-nodes-base.stickyNote", "position": [ 816, -128 ], "parameters": { "height": 184, "content": "### Step 1: Data Collection\n\nSSH into VPS and gather:\n- Running processes (sorted by CPU/memory)\n- Active network connections\n- System information" }, "typeVersion": 1 }, { "id": "574f7e67-8bb1-4dd4-81f8-040d0ea28560", "name": "Sticky Note - Step 2", "type": "n8n-nodes-base.stickyNote", "position": [ 1056, -128 ], "parameters": { "height": 184, "content": "### Step 2: AI Analysis\n\nOpenAI analyzes data for:\n- Known malware patterns\n- Suspicious network activity\n- Unusual resource usage\n- Botnet indicators" }, "typeVersion": 1 }, { "id": "deb0b4d3-5cb1-49a0-894e-c15b3fa15a6b", "name": "Sticky Note - Step 3", "type": "n8n-nodes-base.stickyNote", "position": [ 1568, -224 ], "parameters": { "height": 216, "content": "### Step 3: Smart Alerting\n\nSeparate alerts for:\n- \ud83d\udea8 Malicious: Confirmed threats\n- \u26a0\ufe0f Suspicious: Needs investigation\n\nNo spam - only real threats!" }, "typeVersion": 1 } ], "active": false, "settings": { "executionOrder": "v1" }, "versionId": "98230907-c132-464b-84e5-9c8fd082d0fa", "connections": { "AI Security Analysis": { "main": [ [ { "node": "Check for Malicious Activity", "type": "main", "index": 0 }, { "node": "Check for Suspicious Activity", "type": "main", "index": 0 } ] ] }, "OpenAI GPT-4 Mini Model": { "ai_languageModel": [ [ { "node": "AI Security Analysis", "type": "ai_languageModel", "index": 0 } ] ] }, "Check for Malicious Activity": { "main": [ [ { "node": "Send Malicious Activity Alert", "type": "main", "index": 0 } ] ] }, "Check for Suspicious Activity": { "main": [ [ { "node": "Send Suspicious Activity Notice", "type": "main", "index": 0 } ] ] }, "Configuration - User Settings": { "main": [ [ { "node": "SSH - Gather Process and Network Data", "type": "main", "index": 0 } ] ] }, "Parse Security Analysis Results": { "ai_outputParser": [ [ { "node": "AI Security Analysis", "type": "ai_outputParser", "index": 0 } ] ] }, "Schedule Trigger - Every 6 Hours": { "main": [ [ { "node": "Configuration - User Settings", "type": "main", "index": 0 } ] ] }, "SSH - Gather Process and Network Data": { "main": [ [ { "node": "AI Security Analysis", "type": "main", "index": 0 } ] ] } } }