V

Brute force stats

Out of curiosity and for my own entertainment, I retrieved a few numbers of the logs of one Debian based server which is not behind any firewall and which is open for SSH connections on port 22.

Nov 15: ( 122 hits)    1 +  30 failed (= 31),     4 uniq,   4 refused,   4 uniq;   3 new denied
Nov 16: ( 584 hits)   15 + 254 failed (= 269),   28 uniq,   6 refused,  30 uniq;   6 new denied
Nov 17: ( 330 hits)   10 + 167 failed (= 177),   24 uniq,  19 refused,  24 uniq;   6 new denied
Nov 18: ( 140 hits)    1 +  48 failed (= 49),     7 uniq,   3 refused,   7 uniq;   5 new denied
Nov 19: (1275 hits)  349 + 205 failed (= 554),  314 uniq,  30 refused, 331 uniq;  10 new denied
Nov 20: (4214 hits) 1434 +  57 failed (= 1491), 550 uniq, 230 refused, 602 uniq;  80 new denied
Nov 21: (4102 hits)  783 + 407 failed (= 1190), 573 uniq, 706 refused, 709 uniq; 162 new denied
Nov 22: (2221 hits)  230 + 256 failed (= 486),  266 uniq, 719 refused, 465 uniq;  85 new denied
Nov 23: (2131 hits)  115 + 331 failed (= 446),  153 uniq, 973 refused, 396 uniq;  58 new denied

As is rather obvious, a distributed brute force attack started around November 19 and is still ongoing. It did calm down a bit but a number of nearly 1000 actually refused connections is rather high. (Connections are refused based on the fact that the IP address is known to be part of the attack, i.e. failed login attempts were previously recorded.)

The uniq numbers try to give an impression of how many single hosts were involved since a single host generally will connect several times. These numbers are not completely accurate but they come close.

The number of all uniq IP addresses involved from November 19 to 23 is 837. BTW, 40 of these addresses were already recorded one year ago.

"Code"

For reference, here is the main part of the code I used. Comes with no warranty. Warning: It's quick and dirty, and might leave your pets comatose and incontinent at least for the duration of the attack.

AUTHLOG=~/auth.log.complete
DENYLOG=~/denyhosts.complete
MONTH="Nov" ; for DAY in 15 16 17 18 19 20 21 22 23 ; do 
  DATE=$(date -d"$MONTH $DAY" +'%b %e')
  ISODATE=$(date -d"$MONTH $DAY" +%Y-%m-%d)
  LOGTOTAL=$(egrep -c "^$DATE .* sshd.*: " $AUTHLOG)
  AUTHFAIL=$(egrep -c "^$DATE .* sshd.*: \(pam_unix\) authentication failure; logname=.* rhost=" $AUTHLOG)
  USERINV=$(egrep -c "^$DATE .* sshd.*: Invalid user .* from " $AUTHLOG)
  REFUSED=$(egrep -c "^$DATE .* sshd.*: refused connect from " $AUTHLOG)
  UNIQHOSTS=$(sed -ne "
    s/^$DATE .* sshd.*: (pam_unix) authentication failure; logname=.* rhost=\([^ ]*\).*$/\1/p
    s/^$DATE .* sshd.*: Invalid user .* from \([^ ]*\)$/\1/p
    " $AUTHLOG | sort -u | wc -l)
  UNIQALL=$(sed -ne "
    s/^$DATE .* sshd.*: (pam_unix) authentication failure; logname=.* rhost=\([^ ]*\).*$/\1/p
    s/^$DATE .* sshd.*: Invalid user .* from \([^ ]*\)$/\1/p
    s/^$DATE .* sshd.*: refused connect from .* (::ffff:\([^ ]*\))$/\1/p
    " $AUTHLOG | sort -u | wc -l)
  NEWDENIED2=$(grep -c "$ISODATE .*new denied hosts: .*," $DENYLOG )
  NEWDENIED1=$(grep -c "$ISODATE .*new denied hosts:"     $DENYLOG )
 
  echo "$DATE: ($LOGTOTAL total) $AUTHFAIL + $USERINV failed (= $((AUTHFAIL+USERINV))),\
 $UNIQHOSTS uniq, + $REFUSED refused, $UNIQALL uniq; $((NEWDENIED2+NEWDENIED1)) new denied"
done

Discussion

Andreas Schamanek, 2008-11-25 09:35, 2009-02-08 21:36

Updated numbers:

Nov 24: (1531 total)  46 + 202 failed (= 248),  62 uniq, + 887 refused, 325 uniq; 25 new denied
Nov 25: (1190 total)  48 + 110 failed (= 158),  54 uniq, + 682 refused, 256 uniq; 16 new denied
Nov 26: (1401 total) 159 + 167 failed (= 326), 118 uniq, + 422 refused, 224 uniq; 45 new denied
Nov 27: (2322 total) 139 + 571 failed (= 710), 118 uniq, + 403 refused, 206 uniq; 60 new denied
Nov 28: (1417 total)  80 + 245 failed (= 325),  82 uniq, + 391 refused, 179 uniq; 38 new denied
Nov 29: (1503 total) 200 + 210 failed (= 410), 236 uniq, + 391 refused, 363 uniq; 38 new denied
Nov 30: (1728 total) 176 + 267 failed (= 443), 200 uniq, + 505 refused, 330 uniq; 76 new denied
Dec  1: (1885 total) 116 + 505 failed (= 621), 110 uniq, + 475 refused, 263 uniq; 43 new denied
Dec  2: (1130 total) 108 + 167 failed (= 275), 103 uniq, + 394 refused, 224 uniq; 36 new denied
Dec  3: ( 962 total)  90 + 135 failed (= 225),  78 uniq, + 377 refused, 182 uniq; 43 new denied
Dec  4: ( 765 total)  48 + 124 failed (= 172),  49 uniq, + 331 refused, 164 uniq; 17 new denied
Dec  5: ( 909 total)  69 + 174 failed (= 243),  57 uniq, + 299 refused, 147 uniq; 24 new denied
Dec  6: ( 725 total)  55 +  96 failed (= 151),  59 uniq, + 283 refused, 139 uniq; 22 new denied
Dec  7: ( 724 total)  65 +  88 failed (= 153),  68 uniq, + 283 refused, 149 uniq; 18 new denied
Dec  8: ( 923 total)  80 + 287 failed (= 367),  68 uniq, + 224 refused, 125 uniq; 34 new denied
Dec  9: ( 711 total)  50 + 136 failed (= 186),  47 uniq, + 254 refused, 111 uniq; 27 new denied
Dec 10: ( 547 total)  29 +  83 failed (= 112),  31 uniq, + 242 refused, 103 uniq; 16 new denied
Dec 11: ( 957 total) 123 + 161 failed (= 284), 140 uniq, + 209 refused, 204 uniq; 18 new denied
Dec 12: (1051 total) 136 + 145 failed (= 281), 127 uniq, + 270 refused, 189 uniq; 46 new denied
Dec 13: ( 794 total)  83 + 113 failed (= 196),  87 uniq, + 265 refused, 160 uniq; 35 new denied
Dec 14: ( 783 total)  59 + 115 failed (= 174),  49 uniq, + 276 refused, 129 uniq; 26 new denied
Dec 15: ( 700 total)  31 + 107 failed (= 138),  35 uniq, + 291 refused, 117 uniq; 19 new denied
Dec 16: ( 517 total)  26 +  41 failed (=  67),  23 uniq, + 268 refused, 103 uniq; 10 new denied
Dec 17: ( 618 total)  40 + 172 failed (= 212),  37 uniq, + 191 refused, 101 uniq; 17 new denied
Dec 18: ( 509 total)  39 +  88 failed (= 127),  34 uniq, + 159 refused,  80 uniq; 15 new denied
Dec 19: ( 533 total)  36 + 176 failed (= 212),  37 uniq, + 116 refused,  67 uniq; 17 new denied
Dec 20: ( 349 total)  21 +  54 failed (= 75),   20 uniq, + 128 refused,  54 uniq; 12 new denied
Dec 21: ( 325 total)  11 +  50 failed (= 61),   16 uniq, + 121 refused,  51 uniq;  6 new denied
Dec 22: ( 343 total)  18 +  42 failed (= 60),   21 uniq, + 108 refused,  50 uniq;  8 new denied
Dec 23: ( 364 total)  13 + 148 failed (= 161),  18 uniq, +  93 refused,  42 uniq;  9 new denied
Dec 24: ( 190 total)  13 +  51 failed (= 64),   11 uniq, +  22 refused,  16 uniq;  6 new denied
Dec 25: ( 229 total)   4 +  60 failed (= 64),   10 uniq, +  74 refused,  18 uniq;  6 new denied
Dec 26: ( 269 total)   2 +  77 failed (= 79),    7 uniq, +  35 refused,  17 uniq;  4 new denied
Dec 27: (4061 total) 733 + 777 failed (= 1510), 688 uniq, + 158 refused, 706 uniq; 99 new denied
Dec 28: ( 666 total)  33 + 171 failed (= 204),  38 uniq, + 292 refused,  84 uniq; 15 new denied

Feb  1: ( 140 total)  2 +  38 failed (= 40),    6 uniq, +  5 refused,  7 uniq;  4 new denied
Feb  2: ( 263 total)  0 + 154 failed (= 154),   6 uniq, +  9 refused,  7 uniq;  6 new denied
Feb  3: ( 101 total)  0 +   5 failed (= 5),     1 uniq, +  8 refused,  4 uniq;  2 new denied
Feb  4: ( 152 total)  8 +  33 failed (= 41),    6 uniq, +  1 refused,  7 uniq;  3 new denied
Feb  5: ( 707 total)  0 + 163 failed (= 163),   5 uniq, + 11 refused,  7 uniq;  4 new denied
Feb  6: ( 244 total)  0 + 104 failed (= 104),   9 uniq, +  8 refused, 10 uniq;  8 new denied
Feb  7: ( 265 total)  0 +  74 failed (= 74),    4 uniq, +  5 refused,  4 uniq;  3 new denied

[Comment last updated 2009-02-08 21:36]

Andreas Schamanek, 2008-12-06 12:08

Now, Heise wrote about it, though not much: Distributed SSH attacks bypass blacklists (2008-12-05)

Enter your comment. Wiki syntax is allowed:
M K R R᠎ Q
 
 
blog/081124_brute_force_stats.txt · Last modified: 2009-05-19 09:08 (external edit)