Skip to content
πŸ”’ Lists of IPs making illegal auth attempts and users used doing so
Shell JavaScript Python HTML CSS
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
fetch freshen up May 16, 2018
import Update Apr 12, 2019
map Update Apr 12, 2019
src Update Apr 12, 2019
test freshen up May 16, 2018
.gitattributes freshen up May 16, 2018
.gitignore fix #4 Feb 25, 2018
LICENSE freshen up May 16, 2018 Update Apr 12, 2019 fix #4 Feb 25, 2018 update data Feb 25, 2018 add unique IPs and users + count Feb 10, 2018

GitHub release licence Python Bash

This set of scripts aims to extract from auth attempts or device scanning IPs and users used for those auth attempts.


The top 10 IPs are:

IP Count 11209 11122 10805 10079 9535 5760 5505 5505 5064 4808


Map of first 1000 IPs


The top 10 users are:

User Count
test 10587
admin 8576
user 7008
ubuntu 5348
pi 4460
ftpuser 4375
oracle 4147
postgres 3831
guest 3343
nagios 2495


If you didn't use the fetch script to get you IPs.log and users.log, you can put your auth.log or secure files in import/sources/ (those files are ignored by git, so it won't be uploaded) - then you have to import them - refer to importing section

If you used the fetch script, put your IPs.log and users.log files in import/ and prefix them to distinguish them from other users' files and devices (please only use letters, numbers, dash and underscore in the prefix - I use a githubusername_devicename pattern)

How and what


The fetch/ script get from /var/log/auth.log the IPs and users of the previous day lines of the log. Hence it has to be run only once a day to get everything and to not duplicate data.

Moreover, for it to work, the cron has to be able to read /var/log/auth.log or /var/log/secure.


If you're fetching IPs and Users on several devices and want to centralize everything on one, you can put your auth.log or secure files in import/sources/.

Please prefix your auth.log or secure files per device in order to distinguish them, I use a githubusername_devicename pattern (only use letters, numbers, dash and underscore in the prefix, or it won't work).

Counting and sorting

Once enough data gathered, and the IPs.log and users.log are created in import/, the will create unique IPs and users lists, as well as lists with count of their occurences in the original logs, sorted descendingly.


  • An /var/log/auth.log (or the fetch script will have to be adaptated to your auth logging)
  • Python 3


You can run this script on your public facing devices to collect the IPs and users too, and if you want to contribute, please refer to Import section. Once you're done, run ./ if needed, and ./ - commit and then create a pull request.

Note that you will need git lfs for src/ and import/.

You can’t perform that action at this time.