Visualising SSH attacks with R
Feed: R-bloggers.
Author: Iñaki Úcar.
If you have any machine with an SSH server open to the world and you take a look at your logs, you may be alarmed to see so many login attempts from so many unknown IP addresses. DenyHosts is a pretty neat service for Unix-based systems which works in the background reviewing such logs and appending the offending addresses into the hosts.deny
file, thus avoiding brute-force attacks.
The following R snippet may be useful to quickly visualise a hosts.deny
file with logs from DenyHosts. Such file may have comments (lines starting with #
), and actual records are stored in the form
. Therefore, read.table
is more than enough to load it into R. The rgeolocate
package is used to geolocate the IPs, and the counts per country are represented in a world map using rworldmap
:
library(dplyr)
library(rgeolocate)
library(rworldmap)
hosts.deny "/etc/hosts.deny"
db "extdata", "GeoLite2-Country.mmdb", package="rgeolocate")
read.table(hosts.deny, col.names=c("service", "IP")) %>%
pull(IP) %>%
maxmind(db, fields="country_code") %>%
count(country_code) %>%
as.data.frame() %>%
joinCountryData2Map(joinCode="ISO2", nameJoinColumn="country_code") %>%
mapCountryData(nameColumnToPlot="n", catMethod="pretty", mapTitle="Attacks per country")
## 74 codes from your data successfully matched countries in the map
## 2 codes from your data failed to match with a country code in the map
## 168 codes from the map weren't represented in your data
Then, you may consider more specific access restrictions based on IP prefixes…
Article originally published in Enchufa2.es: Visualising SSH attacks with R.
Related
R-bloggers.com offers daily e-mail updates about R news and tutorials on topics such as: Data science, Big Data, R jobs, visualization (ggplot2, Boxplots, maps, animation), programming (RStudio, Sweave, LaTeX, SQL, Eclipse, git, hadoop, Web Scraping) statistics (regression, PCA, time series, trading) and more…
Leave a Reply
You must be logged in to post a comment.