.:Computer Defense:.

A couple of weeks ago, I posted regarding the logs of some SSH bruce force attempts I had logged on my server, and was looking through. One of the comments was asking for geolocation of the IP Addresses. Tonight I decided to make use of the service available at ip2location.com and geolocate each of the IPs that I had. I'm actually fairly impressed with the service, you can do 20 lookups per IP per day unregistered and if you register you can do 200 lookups per IP per day. I registered and then pasted my entire list into a textbox they provide and it looked them all up at once and provided the results.

Here are the screenshots. It was a small set of IPs, but the top three countries were China, USA, Poland.

Quite a while ago I modified an instance of sshd to log the client version and password for every attempted login. I then set it listening on a seperate interface that I never log into. I finally got a chance to parse the logs (3 grep lines to dump data from the auth logs and 27 lines of python to generate a CSV to load in excel). The result was 12,214 attempts from 27 different source addresses.

The top 10 offending IPs were:

On the username side, root came in at number one (did anyone not see that coming?) and the top 10 usernames accounted for roughly 1/3 of the attempts:

I also don't think that there's much of a surprise with the top 10 passwords:

I will most likely post the file going forward or release additional numbers (I'll admit that I'm kinda curious to read through all the usernames used),  either way, there will be more data.