Generates a heatmap of IPs that made failed SSH login attempts on linux systems, using /var/log/auth.log to get failed attempts. Uses the ipinfo.io library to fetch the IP address coordinates, and folium to generate the heatmap.
Set $IPINFO_TOKEN
envvar and run:
$ make install view
It creates virtualenv using pipenv
, run the sshheatmap script in it,
and opens your webbrowser with the heatmap generated from
/var/log/auth.log*
.
- Python >3.11
- folium
- ipinfo
- requests
pip install -r requirements.txt
Use wget (or curl, or git clone) to download the script.
wget https://raw.githubusercontent.com/meesaltena/SSHHeatmap/master/SSHHeatmap.py
Use grep to generate a text file that contains the logging entries of failed ssh connection attempts. Pattern matches login attempts with a password as well as an ssh key.
grep "authentication failure\| Failed password" /var/log/auth.log > failed_attempts.txt
Or use /var/log/secure if /var/log/auth.log doesn't exist
grep "authentication failure\| Failed password" /var/log/secure > failed_attempts.txt
Get a free ipinfo api key.
Run the script, passing the required ipinfo api key. You can run it without arguments buy setting the key manually.
python SSHHeatmap.py -k API_KEY
You can pass additional arguments to set the minimum number of login attempts required for the IP address to be included in the heatmap, and the file name to use for the heatmap.
python SSHHeatmap.py [-h] [-i INPUT] [-t THRESHOLD] [-o OUTPUT] -k API_KEY
- -i INPUT, --input INPUT:
- Input filepath of: grep "authentication failure| Failed password" /var/log/auth.log > [filename] (default: failed_attempts.txt)
- -t THRESHOLD, --threshold THRESHOLD:
- Minimum number of attempts before an ip is included in the heatmap (default: 50)
- -o OUTPUT, --output OUTPUT:
- Filename of the heatmap output (default: heatmap.html)
Open the generated heatmap HTML file in a browser.
- use local geoip database for location lookup instead of ipinfo api call
- add legend to folium map