Tracking Login Attempts


I’m an inquisitive person. Maybe it’s because I’m an engineer, but I like learning about new things, whether they’re related to cars, computers or technology in general. So recently when looking through the logs of my Ubuntu server, I discovered many, many failed login attempts for users that didn’t exist. Since my system is accessible via the internet through SSH port 22, I get lots of attempts from bots, or less likely, real people.

In the past I’ve looked up the recorded IP address on the internet and found the offending location (or at least an approximation) but now, with my recent affinity for Python, I decided to automate the process and start a log. Using the free API service from IPInfoDB.com, I wrote a Python script that runs hourly and parses the log file, looks up the location online, then stores everything in a MySQL database. Then I wrote a small PHP page to output the data to a browser in the form of the pretty maps and charts you see on this page. Now I can check the site occasionally and see where the activity is.

What does it all mean?

By looking at the map at the top, you’ll notice that most of the logins are centralized in the United States and eastern Asia. I can’t really say I’m that surprised.

The sample is made up of 352 attempts since February 2nd. You’ll see in the chart that the top 5 countries are:

  • China – 126
  • United States – 77
  • Republic of Korea – 32
  • Turkey – 18
  • India – 13

It’s an interesting list, and I’m curious to see how the numbers will change over time.

Additionally, here is a chart of the top usernames that the attempts had. Not really a surprise here, either. Obviously “attackers”, for lack of a better word, want to gain full access to a machine by using the root username, and most of the other names are for services that typical servers have running (eg. Oracle, mysql, postgres, etc.). What I found most interesting are the one-off attempts: brian, richard, fluffy, stud, gnats and taylour to name a few (really!). Top 5 once again are:

  • root – 255
  • bin – 21
  • nagios – 14
  • oracle – 9
  • test – 4

So what can you do?

If you must have an open SSH connection to the internet, there are a few things you can do to protect your system. There are lots of websites that describe the steps in more details (like this one, or this one or even this one. All of those sites share a few simple tips:

  1. Disable root access
  2. Use keys to access the system instead of passwords
  3. Drop the connection after x login attempts
  4. Use a non-standard port for SSH
  5. Enforce secure passwords

I follow a few of those, mostly because my system isn’t important enough to warrant super hardened measures. Even by disabling root access, you remove 99% of the threats, and requiring a key to log in removes the remaining 1%. I”m not particularly worried about users actually accessing my computer, and by following some of the measures above, that possibility is basically elimininated.

Update — September 23, 2012
A commenter requested the source code for the above system, so I’ve attached it as a zip file. It contains the Python script and web front end. I’ve written instructions as best I can, but please remember it’s a bit of a hack and therefore I can’t provide much support. Follow the readme and it should make sense.

Tagged with: , , ,
3 comments on “Tracking Login Attempts
  1. Xwiggen says:

    * rate limit ssh thru iptables
    * use hosts.allow and hosts.deny to filter ips
    * use pubkey authentication only

  2. Ian Potts says:

    could you post the script’s?

  3. wesgood says:

    Ian, I’ll see what I can do. I’ll try to package them a little better to make installing easier.

Leave a Reply

Your email address will not be published. Required fields are marked *

*