SSH brute force is on the rise, awk script to count failed SSH attempts

Thu 03 June 2010 in Linux

#awk weekly #Linux

SSH brute forcing is still in high demand. I have , for my own testing and pleasure, virtual servers scattered around the world. All of them being of the Linux/BSD family I manage by SSH. Also I have on purpose no static IP at home for various reasons (saving me money being one of them). And to manage those servers by SSH I implement a very simple security rule – from Any to SSH port allow. Port is left to be standard one – 22. After all that time my server was broken into just once , when I gave access by SSH to the colleague of mine and later he changed the password to something crackable in 5 secs. Since then I - first don’t give ssh access to colleagues :), and second - look from time to time at ssh failed attempts logs for amusement.

My observations so far are :
- ssh brute forcing is still/yet/again extremely popular and increasing . On average after unfirewalled access to port 22 is discovered it goes to ~ 5000-6000 attempts per day . - crackers do have some means of communicating between them (market economy ?) – my servers have static IPs and first days after its set up brute force login attempts are as low as 2-10 a day. But once the server IP has been discovered by determined crackers it goes up in numbers very quickly. - origins of the attacks correlate pretty well with the known sources of Spam/Malware : Brazil, China, US etc. If you’d like to look at your SSH logs and do some stats on failed attempts here is the awk one-liner I use. Enjoy.

awk --re-interval '/authentication failure/ {}
/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]/ {match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]/,IP);  IPS[IP[0]]++ } END { for (cracker_ips in IPS) print cracker_ips "  " IPS[cracker_ips]}' /var/log/secure.1 | sort -n -k2

190.202.85.3  1
194.192.14.7  1
212.111.199.3  1
222.124.195.1  1
210.71.71.1  2
89.138.195.1  5
212.156.65.7  25
202.117.51.2  32
210.51.48.7  32
115.146.138.5  47
60.191.98.5  88
174.120.208.5  107
61.129.60.2  165
202.103.180.4  175
213.251.192.2  239
91.82.101.4  242
220.173.60.6  264
12.11.210.3  271
144.16.72.1  291
212.118.5.1  360
66.11.122.1  384
211.160.160.1  703
190.12.66.1  999
83.19.184.3  1176
67.213.8.2  4955
199.187.120.2  5312
95.0.180.2  6680
85.131.163.5  7685

NB Crackers IPs are not sanitized

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.