Carlos E.R. wrote:
On 03/03/2021 23.24, Per Jessen wrote:
Carlos E. R. wrote:
On 03/03/2021 20.24, Per Jessen wrote:
44'244 attempts over twelve specific servers, 14'963 unique ipv4 addresses from 141 countries.
What do you use to analyze that? Ie, how do you know?
The plain old logfile - /var/log/messages. sshd will log failed login attempts. To analyze it, I grep through the files, then load the data into a database, makes it easier to query.
Ah, ok, you load a database. Ok.
If you want to do more in-depth analysis, it is easier with a database, but you can also get the basic numbers with a tiny bit of scripting: Look for this message in the logs: "Received disconnect from 46.101.245.176 port 49464:11: Bye Bye [preauth]" The above indicates someone tried to log in, but failed to complete the key exchange. xzgrep ssh.*Bye.*preauth "your-compressed-log-files" | sed -e 's/^.*from//' | cut -d\ -f2 >/tmp/iplist "/tmp/iplist" now has the list of IP addresses. "wc -l /tmp/iplist" gives you the total number attempts. "sort -u /tmp/iplist | wc -l" gives you the number of unique addresses. To look up country codes, you need a geoip database - I have one being served by our in-house DNS, so: sort -u /tmp/iplist | while IFS=. read q1 q2 q3 q4 do host -t txt $q4.$q3.$q2.$q1.countries.nerd done | tee /tmp/cclist "/tmp/cclist" now has lines of 233.74.42.100.countries.nerd descriptive text "us" Number of unique countries seen: grep descriptive /tmp/cclist | cut -d\ -f4 | sort -u | wc -l If you need more details, at this point it is easier to use a database, in my opinion, but if you a wizard with a spreadsheet, that will do too. See my follow-up post in a minute. -- Per Jessen, Zürich (8.8°C)
Per Jessen wrote:
If you need more details, at this point it is easier to use a database, in my opinion, but if you are a wizard with a spreadsheet, that might do too. See my follow-up post in a minute.
When you are looking at a lot of data or you need more in-depth analysis, I find that using a sql database is easier. I use mariadb, but it doesn't really matter what you pick: create table sshattack (ts datetime not null,host char(20) not null,ipv4 char(15) not null,cc char(2)) charset=ascii xzcat "your-compressed-log-files" | grep ssh.*Bye.*preauth | while read ts host sshd rcvd disc from ipv4 rest do printf "insert into sshattack (ts,host,ipv4) values('%s','%s','%s') \n" $ts $host $ipv4 done | mysql -u carlos -p -Ddb_sandbox (the above assumes you use iso format timestamps in your logs). Now you need to add the countrycodes - you can do this concurrently/iteratively, although it might slow down the loading: mysql -u carlos -p -Ddb_sandbox -NB \ -e 'select distinct ipv4 from sshattack where cc is null' | while IFS=. read q1 q2 q3 q4 do cc=$(host -t txt $q4.$q3.$q2.$q1.countries.nerd | head -1 |\ grep descriptive | cut -d\" -f2) printf "update sshattack set cc='%s' where ipv4='%s.%s.%s.%s';\n" \ $cc $q1 $q2 $q3 $q4 done >list-of-updates mysql -u carlos -p -Ddb_bw_sandbox <list-of-updates I'm still loading data from twelve hosts from all of 2020, it looks like maybe 1.5mill rows. I'll be back with an update later. -- Per Jessen, Zürich (11.7°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.
participants (1)
-
Per Jessen