5 Days of SSHD Stats on a Public IP

Over the last 5 days my pub­licly acces­si­ble sys­tem at 198.61.231.43 has had 5,092 attempted SSH logins from 8 IP Addresses.

Unsur­pris­ingly, the most com­monly attempted ssh user­name is “root”, the default admin­is­tra­tive account on Linux sys­tems.
2013.02.22_sshd_percentchart

What I did find sur­pris­ing, was that most of the IPs gave up after a rel­a­tively low num­ber of attempts.
2013.02.22_sshd_totalchart

Even more so was that for each user­name tried which wasn’t root, the num­ber of pass­words attempted was rarely more than a dozen.
2013.02.22_sshd_userschart

Here are the IPs observed attempt­ing the unau­tho­rized logins:

  • 121.254.179.36
  • 122.194.113.201
  • 193.200.241.222
  • 202.165.179.53
  • 218.26.89.179
  • 37.98.241.242
  • 61.236.64.56
  • 64.237.49.52

All data was col­lected via syslog-ng from an Arch Linux server hosted by Rack­space sent to Splunk Storm

Tracking SSHD Login Activity in SplunkStorm

After a night out with my wife I decided to cre­ate a search for SSHD logins in Splunk Storm. See­ing that port 22 is open to the world on 198.61.231.43, I won­der how long before ran­dom bots start attempt­ing to log into it. As a secu­rity prac­ti­tioner its always inter­est­ing to see the effects of just being on the inter­net; and SplunkStorm is a great way to mon­i­tor those effects.

SSHD — Logins (Accepts and Failures)

sshd | rex field=_raw ”]: (?<sshd_action>.*) pass­word for (?<sshd_username>.*) from (?<sshd_ip>.*) port” | search sshd_action=”*” | table _time host sshd_action sshd_username sshd_ip

Here’s a look at the result:
sshd_screenshot

If you’re run­ning syslog-ng, it’s super sim­ple to send your logs over to a Splunk instance. Below is what I added to my /etc/syslog-ng/syslog-ng.conf file where the X’s are val­ues pro­vided by your SplunkStorm admin console:

des­ti­na­tion d_splunk { tcp(logsX.splunkstorm.com” port(XXXXX)); };
log { source(src); destination(d_splunk); };