Hacker News new | past | comments | ask | show | jobs | submit login
Visualised: 24 hours of SSH attacks against a single server (syslog.tv)
40 points by Kura on March 3, 2012 | hide | past | favorite | 17 comments



Hey Kura,

I'm going to go ahead an assume that you're the same person who created the video.

Any chance you could give an overview of how you made this visualization possible? Maybe share the code or explain what components you used / how they interact?

Either way, thanks for sharing :)


Philp, I am indeed the creator of the video.

I used this article as my basis - http://www.wallix.org/2012/02/29/pylogsparser-visualizing-ss...

The article linked above was a good starting ground but for the amount of processing I needed to it was by no means fast enough or efficient enough, so I rewrote a bunch of it and put the source online here - https://github.com/kura/ssh-attack-visualisation/

It is all written in Python with heavy usage of Numpy.


Did something similar a couple of years back: http://pythoneering.blogspot.com/2009/12/one-that-wasnt-game...


I wis this traced the IP to the city level. It would be interesting I think to see which cities have high amounts of malicious traffic.


Anyone knows if there is a free geoip lookup database with city level detail? If not, if there was a way of crowdsourcing this somehow? If I'm not mistaken gps+phone probably wouldn't work since the IP addresses seem to be more or less random.

Google seems to know wifi routers locations, but afaik they use their streetcar fleet to create it. It was funny sometime ago that after moving cities but keeping the same wifi router, my detected location was still at the old place. Eventually it got corrected.


I’ve had good (but not great) results from https://github.com/fiorix/freegeoip . It has you download the database from http://mirrors.ipinfodb.com/ipinfodb/ip_database/current/ipi... , which doesn’t appear to be officially linked anymore (http://ipinfodb.com/ip_database.php).


This one is pretty good:

http://www.hostip.info/


thanks!


It would be possible with a different map and some changes to make this go to city level, I might do that some time in the future but I don't know how much extra work would be required and I assume it would require a whole lot more processing.


Anyone know of something that will block all ip's except Comcast.net for example?


Oy... Just shove your sshd off to another port already!


Even better, just use iptables to drop any connection that is outside of a certain ip range or your static ip or your domain name. It will eliminate all of those attacks and port scanning won't help them. It doesn't mean someone can't get in, but it will eliminate the script kiddies.


I have a script (easy when one embeds Lua inside syslogd) that checks for failed ssh logins and after a few failed attempts, blocks the address via iptables (and another script to remove such blocks after a few hours to keep iptables entries from piling up).


That's essentially what DenyHosts[1] and fail2ban[2] do, except they're more complex (the former has blacklist sharing, while the later supports more than ssh).

[1]: http://denyhosts.sourceforge.net/index.html

[2]: http://www.fail2ban.org/wiki/index.php/Main_Page


Running SSH on a different port is not a solution, it helps yes.

You're making assumptions about this video, did you ever think the whole point might be to collate these kind of attacks? =)


It effectively solves the problem of random carpet-bombing, but obviously not the problem of planned attacks. No, it never struck me as being done solely to draw up statistics of the subject, as it has been done a million times already.


Then don't waste your time commenting on it?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: