

Visualised: 24 hours of SSH attacks against a single server - Kura
http://syslog.tv/2012/03/02/visualised-24-hours-of-ssh-attacks-against-a-single-server/

======
philp
Hey Kura,

I'm going to go ahead an assume that you're the same person who created the
video.

Any chance you could give an overview of how you made this visualization
possible? Maybe share the code or explain what components you used / how they
interact?

Either way, thanks for sharing :)

~~~
Kura
Philp, I am indeed the creator of the video.

I used this article as my basis -
[http://www.wallix.org/2012/02/29/pylogsparser-visualizing-
ss...](http://www.wallix.org/2012/02/29/pylogsparser-visualizing-ssh-attacks-
in-video/)

The article linked above was a good starting ground but for the amount of
processing I needed to it was by no means fast enough or efficient enough, so
I rewrote a bunch of it and put the source online here -
<https://github.com/kura/ssh-attack-visualisation/>

It is all written in Python with heavy usage of Numpy.

------
alexhawdon
Did something similar a couple of years back:
[http://pythoneering.blogspot.com/2009/12/one-that-wasnt-
game...](http://pythoneering.blogspot.com/2009/12/one-that-wasnt-game.html)

------
NathanKP
I wis this traced the IP to the city level. It would be interesting I think to
see which cities have high amounts of malicious traffic.

~~~
slug
Anyone knows if there is a _free_ geoip lookup database with city level
detail? If not, if there was a way of crowdsourcing this somehow? If I'm not
mistaken gps+phone probably wouldn't work since the IP addresses seem to be
more or less random.

Google seems to know wifi routers locations, but afaik they use their
streetcar fleet to create it. It was funny sometime ago that after moving
cities but keeping the same wifi router, my detected location was still at the
old place. Eventually it got corrected.

~~~
jacquesm
This one is pretty good:

<http://www.hostip.info/>

~~~
slug
thanks!

------
micro-ram
Anyone know of something that will block all ip's except Comcast.net for
example?

------
hackermom
Oy... Just shove your sshd off to another port already!

~~~
maratd
Even better, just use iptables to drop any connection that is outside of a
certain ip range or your static ip or your domain name. It will eliminate all
of those attacks and port scanning won't help them. It doesn't mean someone
can't get in, but it will eliminate the script kiddies.

~~~
spc476
I have a script (easy when one embeds Lua inside syslogd) that checks for
failed ssh logins and after a few failed attempts, blocks the address via
iptables (and another script to remove such blocks after a few hours to keep
iptables entries from piling up).

~~~
icebraining
That's essentially what DenyHosts[1] and fail2ban[2] do, except they're more
complex (the former has blacklist sharing, while the later supports more than
ssh).

[1]: <http://denyhosts.sourceforge.net/index.html>

[2]: <http://www.fail2ban.org/wiki/index.php/Main_Page>

