Carlos E.R. wrote:
On 03/03/2021 23.24, Per Jessen wrote:
Carlos E. R. wrote:
On 03/03/2021 20.24, Per Jessen wrote:
44'244 attempts over twelve specific servers, 14'963 unique ipv4 addresses from 141 countries.
What do you use to analyze that? Ie, how do you know?
The plain old logfile - /var/log/messages. sshd will log failed login attempts. To analyze it, I grep through the files, then load the data into a database, makes it easier to query.
Ah, ok, you load a database. Ok.
If you want to do more in-depth analysis, it is easier with a database, but you can also get the basic numbers with a tiny bit of scripting: Look for this message in the logs: "Received disconnect from 46.101.245.176 port 49464:11: Bye Bye [preauth]" The above indicates someone tried to log in, but failed to complete the key exchange. xzgrep ssh.*Bye.*preauth "your-compressed-log-files" | sed -e 's/^.*from//' | cut -d\ -f2 >/tmp/iplist "/tmp/iplist" now has the list of IP addresses. "wc -l /tmp/iplist" gives you the total number attempts. "sort -u /tmp/iplist | wc -l" gives you the number of unique addresses. To look up country codes, you need a geoip database - I have one being served by our in-house DNS, so: sort -u /tmp/iplist | while IFS=. read q1 q2 q3 q4 do host -t txt $q4.$q3.$q2.$q1.countries.nerd done | tee /tmp/cclist "/tmp/cclist" now has lines of 233.74.42.100.countries.nerd descriptive text "us" Number of unique countries seen: grep descriptive /tmp/cclist | cut -d\ -f4 | sort -u | wc -l If you need more details, at this point it is easier to use a database, in my opinion, but if you a wizard with a spreadsheet, that will do too. See my follow-up post in a minute. -- Per Jessen, Zürich (8.8°C)
Per Jessen wrote:
If you need more details, at this point it is easier to use a database, in my opinion, but if you are a wizard with a spreadsheet, that might do too. See my follow-up post in a minute.
When you are looking at a lot of data or you need more in-depth
analysis, I find that using a sql database is easier. I use mariadb,
but it doesn't really matter what you pick:
create table sshattack (ts datetime not null,host char(20) not null,ipv4
char(15) not null,cc char(2)) charset=ascii
xzcat "your-compressed-log-files" |
grep ssh.*Bye.*preauth |
while read ts host sshd rcvd disc from ipv4 rest
do
printf "insert into sshattack (ts,host,ipv4) values('%s','%s','%s')
\n" $ts $host $ipv4
done | mysql -u carlos -p -Ddb_sandbox
(the above assumes you use iso format timestamps in your logs).
Now you need to add the countrycodes - you can do this
concurrently/iteratively, although it might slow down the loading:
mysql -u carlos -p -Ddb_sandbox -NB \
-e 'select distinct ipv4 from sshattack where cc is null' |
while IFS=. read q1 q2 q3 q4
do
cc=$(host -t txt $q4.$q3.$q2.$q1.countries.nerd | head -1 |\
grep descriptive | cut -d\" -f2)
printf "update sshattack set cc='%s' where ipv4='%s.%s.%s.%s';\n" \
$cc $q1 $q2 $q3 $q4
done >list-of-updates
mysql -u carlos -p -Ddb_bw_sandbox
participants (1)
-
Per Jessen