I have this machine with the SSH daemon listening on the default port 22 since last December. The number of failed logins accounts for 154MB of logs, including 1.5M lines.
I'm going to process these logs to see which countries should be blocked on the firewall.
(Yes, I know about solutions like xtables-geoip, fail2ban, denyhosts etc.)
I have 22 logfiles:
# wc -l * 27814 messages... 1588979 totalThe lines including sshd[$pid]:
# grep -c "sshd\[" * | awk -F\: '{SUM+=$2} END {print SUM}' 1576272For easier analysis, I put every line of sshd in a single separate file and started working on that:
# grep "sshd\[" * > sshd.logThe most important part of each line is found in the first two words of the actual message.
# awk '{print $6" "$7}' sshd.log | sort -uThese still include the server key generation and the startup/shutdown messages. Like these:
SSH server key generation
..done
DSA keys
Generating /etc/ssh/ssh_host_dsa_key.
Generating public/private
The key
The key's
Your identification
Your public
Daemon startup/shutdown
Received signal
Server listening
Shutting down
Starting SSH
So, after cleaning out the above, here is the summary, with the number of lines in parentheses:
Other/Server errors
error: Could not load host key: /etc/ssh/ssh_host_dsa_key (521260) - resolved during a system upgrade
error: ssh_msg_send: write (3)
last message repeated 2 times (1)
pam_unix2(sshd:auth): conversation failed (3)
Successful authentication or logout (1020)
Accepted keyboard-interactive/pam (200)
Accepted publickey (326)
Received disconnect (494)
==> Received disconnect from $ip: disconnected by user
==> Received disconnect from $ip: Closed due to user request. (Android/ConnectBot)
subsystem request for sftp by user $user (11) - authenticated SFTP transfer
Failed authentication and/or intrusion attempt
Failed keyboard-interactive/pam (210023)
==> Failed keyboard-interactive/pam for invalid user $user from $ip port $port ssh2 (207450)
==> Failed keyboard-interactive/pam for root from $ip port $port ssh2 (2573)
Invalid user $user from $ip (534171)
Did not receive identification string from $ip (364)
Bad protocol version identification $garbage from $ip (3)
error: PAM: (253082)
==> error: PAM: User not known to the underlying authentication module for illegal user $user from $ip (207450) - see also 'Failed keyboard-interactive/pam', double lines
==> error: PAM: Authentication failure for $user from $ip (45632)
Reverse DNS failures (DNS disabled now)
Address $ip maps to $name, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! (2248)
reverse mapping checking getaddrinfo for $name [$ip] failed - POSSIBLE BREAK-IN ATTEMPT! (54045)
Source IP addresses
# awk '/Invalid user/ {print $NF}' sshd.log | sort -u417 addresses in 534171 lines
# awk '/for invalid user/ {print $13}' sshd.log | sort -u38 addresses in 207450 lines
# awk '/pam for root/ {print $11}' sshd.log | sort -u88 addresses in 2573 lines
These were put together and sorted in a list of 505 IP addresses.
Generating country mapping with GeoIP (free version):
# while read ip; do echo -n "$ip "; geoiplookup $ip | sed 's/GeoIP Country Edition//;s/\,.*//'; done < ipaddr2.txt > geoip.txtA total of 60 countries.
Result #1: Top 10 individual IPs by country
# awk '{print $3}' geoip.txt | grep -v IP | sort -u | while read c; do echo -n "$c: "; grep -c $c geoip.txt ; done | sort +1 -rn | head -10There are countries where either the attackers came from many different machines, or the same machines changed IP often.
CN: 129KR: 103US: 60RU: 26DE: 25IN: 12FR: 12BR: 12GB: 10TH: 8Result #2: Top 10 offending individual IP addresses by number of attempts
# sort +1 -rn byip.txt | head -10 | while read ip count; do echo $count $(geoiplookup $ip | awk '{print $4}') $ip; doneCompare this to the next summary to find that there were single major attackers in some countries.
169524 AR, 200.0.230.xxx123755 PL, 94.101.16.xx85371 VN, 123.30.179.xxx77368 KE, 41.220.225.xxx60780 US, 108.16.229.xxx53278 IN, 220.225.215.xxx48549 TH, 110.77.229.xx40842 IN, 218.248.79.xxx23713 BR, 157.86.172.xxx23631 UA, 213.186.116.xxxResult #3: Top 10 countries by number of attempts
As you can see above, the hits from Argentina, Poland, Vietnam, Kenya, Brazil and Ukraine originated mostly from single IP addresses.
Don't create a bad reputation for your country!
AR 171419PL 126598IN 124130US 99284VN 85384KE 78971CN 74046TH 58919BR 29990UA 24091