Friday, January 30, 2015

Quick hack to automatically ip geoloc people who tried to get access to your server (using SSH)

The following script gives this kind of output (for only 3 days of logs...) :
# ./sshhack-iploc /var/log/auth.log*
-----------------------------
-- SSH failed distinct attempts by country
Hong Kong -> 42
China -> 38
France -> 10
United States -> 6
Germany -> 2
Venezuela -> 1
United Kingdom -> 1
India -> 1
Republic of Korea -> 1
Brazil -> 1
Netherlands -> 1
-----------------------------
-- SSH top 10 of tested users
User 'root' -> 78318
User 'admin' -> 158
User 'oracle' -> 21
User 'postgres' -> 18
User 'ts' -> 14
User 'vnc' -> 13
User 'test' -> 12
User 'bin' -> 12
User 'git' -> 11
User 'teamspeak3' -> 10
-----------------------------
-- General Information
Processed time range : 92 hours (~3 days)
Total number of auth failures 78757 (~856 by hour)
Distinct tested logins 116

2 comments:

  1. Results coming from an other host :
    -----------------------------
    -- SSH failed distinct attempts by country
    China -> 352
    Bahrain -> 128
    India -> 103
    Brazil -> 83
    United States -> 72
    France -> 59
    Hong Kong -> 57
    Germany -> 25
    Egypt -> 13
    Russia -> 11
    Republic of Korea -> 11
    Malaysia -> 10
    Indonesia -> 9
    Japan -> 8
    United Kingdom -> 7
    Pakistan -> 7
    Turkey -> 5
    Colombia -> 5
    Thailand -> 4
    Canada -> 4
    Ukraine -> 4
    Vietnam -> 4
    Taiwan -> 3
    Israel -> 3
    Philippines -> 2
    Saudi Arabia -> 2
    Austria -> 2
    Republic of Moldova -> 2
    Italy -> 2
    Bulgaria -> 2
    Norway -> 2
    Netherlands -> 2
    Bangladesh -> 2
    Venezuela -> 1
    Spain -> 1
    Peru -> 1
    Antigua and Barbuda -> 1
    Tunisia -> 1
    Seychelles -> 1
    Republic of Lithuania -> 1
    Australia -> 1
    Kenya -> 1
    Ghana -> 1
    Kazakhstan -> 1
    Singapore -> 1
    Bolivia -> 1
    Chile -> 1
    Dominican Republic -> 1
    Switzerland -> 1
    United Arab Emirates -> 1
    Nepal -> 1
    Hungary -> 1
    -----------------------------
    -- SSH top 10 of tested users
    User 'root' -> 439613
    User 'admin' -> 8381
    User 'test' -> 986
    User 'oracle' -> 464
    User 'guest' -> 386
    User 'postgres' -> 354
    User 'nagios' -> 325
    User 'user' -> 298
    User 'ftp' -> 253
    User 'zabbix' -> 201
    -----------------------------
    -- General Information
    Processed time range : 3215 hours (~133 days)
    Total number of auth failures 472901 (~147 by hour)
    Distinct tested logins 7886

    ReplyDelete
  2. For latest 13 days :

    -----------------------------
    -- SSH failed distinct attempts by country
    India -> 120
    Brazil -> 99
    Bahrain -> 85
    Hong Kong -> 65
    China -> 54
    France -> 31
    United States -> 17
    Pakistan -> 6
    Germany -> 6
    Republic of Korea -> 5
    Taiwan -> 4
    United Kingdom -> 4
    Russia -> 3
    Ukraine -> 3
    Turkey -> 3
    Thailand -> 2
    Vietnam -> 2
    Indonesia -> 2
    Malaysia -> 2
    Poland -> 1
    Philippines -> 1
    Spain -> 1
    Peru -> 1
    Saudi Arabia -> 1
    Kazakhstan -> 1
    Panama -> 1
    Chile -> 1
    Netherlands -> 1
    Hungary -> 1
    -----------------------------
    -- SSH top 10 of tested users
    User 'root' -> 21880
    User 'admin' -> 181
    User 'test' -> 115
    User 'nagios' -> 56
    User 'oracle' -> 53
    User 'postgres' -> 44
    User 'guest' -> 37
    User 'user' -> 37
    User 'test1' -> 36
    User 'test2' -> 26
    -----------------------------
    -- General Information
    Processed time range : 323 hours (~13 days)
    Total number of auth failures 24027 (~74 by hour)
    Distinct tested logins 856
    Total number of distinct client ip 523

    ReplyDelete