diff --git a/templates/prometheus/config/prometheus/alert.rules.j2 b/templates/prometheus/config/prometheus/alert.rules.j2
index 6cf21dc..f19a402 100644
--- a/templates/prometheus/config/prometheus/alert.rules.j2
+++ b/templates/prometheus/config/prometheus/alert.rules.j2
@@ -279,3 +279,13 @@ groups:
       identifier: '{{ '{{' }} $labels.instance {{ '}}' }}'
       summary: "Instance <{{ '{{' }} $labels.instance {{ '}}' }}> has less traffic than expected"
       description: "checks if postgres receives traffic on internal interface."
+
+  - alert: ssh root login
+    expr: authlog_root_login_hits > 0 or absent(authlog_root_login_hits)
+    for: 1m
+    labels:
+      severity: critical
+    annotations:
+      identifier: '{{ '{{' }} $labels.instance {{ '}}' }}'
+      summary: "ssh root login on Instance <{{ '{{' }} $labels.instance {{ '}}' }}> detected. plz check"
+      description: "unexpected ssh root login detected."