5 Days of SSHD Stats on a Public IP

Over the last 5 days my pub­licly acces­si­ble sys­tem at 198.61.231.43 has had 5,092 attempted SSH logins from 8 IP Addresses.

Unsur­pris­ingly, the most com­monly attempted ssh user­name is “root”, the default admin­is­tra­tive account on Linux sys­tems.
2013.02.22_sshd_percentchart

What I did find sur­pris­ing, was that most of the IPs gave up after a rel­a­tively low num­ber of attempts.
2013.02.22_sshd_totalchart

Even more so was that for each user­name tried which wasn’t root, the num­ber of pass­words attempted was rarely more than a dozen.
2013.02.22_sshd_userschart

Here are the IPs observed attempt­ing the unau­tho­rized logins:

  • 121.254.179.36
  • 122.194.113.201
  • 193.200.241.222
  • 202.165.179.53
  • 218.26.89.179
  • 37.98.241.242
  • 61.236.64.56
  • 64.237.49.52

All data was col­lected via syslog-ng from an Arch Linux server hosted by Rack­space sent to Splunk Storm

Leave a Reply