Skip to content

Generates a heatmap of IP's that made failed SSH login attempts.

License

Notifications You must be signed in to change notification settings

meesaltena/SSHHeatmap

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SSHHeatmap

Generates a heatmap of IPs that made failed SSH login attempts on linux systems, using /var/log/auth.log to get failed attempts. Uses the ipinfo.io library to fetch the IP address coordinates, and folium to generate the heatmap.

To try it

Set $IPINFO_TOKEN envvar and run:

$ make install view

It creates virtualenv using pipenv, run the sshheatmap script in it, and opens your webbrowser with the heatmap generated from /var/log/auth.log*.

Dependencies

  • Python >3.11
  • folium
  • ipinfo
  • requests
pip install -r requirements.txt

Installation & Usage

Use wget (or curl, or git clone) to download the script.

wget https://raw.githubusercontent.com/meesaltena/SSHHeatmap/master/SSHHeatmap.py

Use grep to generate a text file that contains the logging entries of failed ssh connection attempts. Pattern matches login attempts with a password as well as an ssh key.

grep "authentication failure\| Failed password" /var/log/auth.log > failed_attempts.txt

Or use /var/log/secure if /var/log/auth.log doesn't exist

grep "authentication failure\| Failed password" /var/log/secure > failed_attempts.txt

Get a free ipinfo api key.

Run the script, passing the required ipinfo api key. You can run it without arguments buy setting the key manually.

python SSHHeatmap.py -k API_KEY

You can pass additional arguments to set the minimum number of login attempts required for the IP address to be included in the heatmap, and the file name to use for the heatmap.

python SSHHeatmap.py [-h] [-i INPUT] [-t THRESHOLD] [-o OUTPUT] -k API_KEY
  • -i INPUT, --input INPUT:
    • Input filepath of: grep "authentication failure| Failed password" /var/log/auth.log > [filename] (default: failed_attempts.txt)
  • -t THRESHOLD, --threshold THRESHOLD:
    • Minimum number of attempts before an ip is included in the heatmap (default: 50)
  • -o OUTPUT, --output OUTPUT:
    • Filename of the heatmap output (default: heatmap.html)

Open the generated heatmap HTML file in a browser.

Possible improvements

  • use local geoip database for location lookup instead of ipinfo api call
  • add legend to folium map

License

MIT

About

Generates a heatmap of IP's that made failed SSH login attempts.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published