SSH brute force is on the rise, awk script to count failed SSH attempts

SSH brute forcing is still in high demand. I have , for my own testing and pleasure, virtual servers scattered around the world. All of them being of the Linux/BSD family I manage by SSH. Also I have on purpose no static IP at home for various reasons (saving me money being one of them). And to manage those servers by SSH I implement a very simple security rule – from Any to SSH port allow. Port is left to be standard one – 22. After all that time my server was broken into just once , when I gave access by SSH to the colleague of mine and later he changed the password to something crackable in 5 secs. Since then I - first don’t give ssh access to colleagues :), and second - look from time to time at ssh failed attempts logs for amusement.

My observations so far are :
- ssh brute forcing is still/yet/again extremely popular and increasing . On average after unfirewalled access to port 22 is discovered it goes to ~ 5000-6000 attempts per day . - crackers do have some means of communicating between them (market economy ?) – my servers have static IPs and first days after its set up brute force login attempts are as low as 2-10 a day. But once the server IP has been discovered by determined crackers it goes up in numbers very quickly. - origins of the attacks correlate pretty well with the known sources of Spam/Malware : Brazil, China, US etc. If you’d like to look at your SSH logs and do some stats on failed attempts here is the awk one-liner I use. Enjoy.

awk --re-interval '/authentication failure/ {}
/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]/ {match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]/,IP);  IPS[IP[0]]++ } END { for (cracker_ips in IPS) print cracker_ips "  " IPS[cracker_ips]}' /var/log/secure.1 | sort -n -k2  1  1  1  1  2  5  25  32  32  47  88  107  165  175  239  242  264  271  291  360  384  703  999  1176  4955  5312  6680  7685

NB Crackers IPs are not sanitized

Follow me on not to miss what I publish on Linkedin, Github, blog, and more.