In [None]:
import re
import pandas as pd
from collections import Counter
import matplotlib.pyplot as plt
from datetime import datetime
import requests
     

In [None]:
# Path to auth log (works on Unix/Linux)
LOG_PATH = "/var/log/auth.log"

# Store parsed results
failed_logins = []


In [None]:
# Regex to parse log lines
pattern = re.compile(r'^(\w{3}\s+\d+\s[\d:]+)\s[\w-]+\s.*sshd.*Failed password.*from\s([\d.]+)')

with open(LOG_PATH, 'r', encoding='utf-8', errors='ignore') as f:
    for line in f:
        match = pattern.search(line)
        if match:
            timestamp_str, ip = match.groups()
            timestamp = datetime.strptime(timestamp_str, "%b %d %H:%M:%S")
            failed_logins.append({'time': timestamp, 'ip': ip})


In [None]:

df = pd.DataFrame(failed_logins)
df.head()

In [None]:
# Count failed login attempts per IP
ip_counts = df['ip'].value_counts()
print("Top 10 suspicious IPs:\n")
print(ip_counts.head(10))

In [None]:
# Visualize attempts over time
df.set_index('time').resample('H').count()['ip'].plot(figsize=(10,4), title='Failed Logins Over Time', grid=True)
plt.ylabel("Attempts")
plt.show()
     

In [None]:
# Detect brute-force attacks (e.g., > 5 failed logins)
suspicious_ips = ip_counts[ip_counts > 5]
print("\nIPs with >5 failed attempts:\n", suspicious_ips)
     

In [None]:
# (Optional) Get GeoIP info using ipinfo.io
def get_ip_info(ip):
    try:
        response = requests.get(f"https://ipinfo.io/{ip}/json", timeout=5)
        data = response.json()
        return data.get('city', 'Unknown'), data.get('region', ''), data.get('country', '')
    except:
        return "N/A", "N/A", "N/A"

for ip in suspicious_ips.index[:5]:
    city, region, country = get_ip_info(ip)
    print(f"{ip} --> {city}, {region}, {country}")

     


In [None]:
# Simulate blocking IPs
def block_ip(ip):
    print(f"[!] Blocking IP: {ip} (simulated)")

for ip in suspicious_ips.index:
    block_ip(ip)

     

In [None]:
# Save results
suspicious_ips.to_csv("suspicious_ips.csv", header=True)
print("Saved suspicious IPs to suspicious_ips.csv")
