Visualising SSH attacks with R
Feed: R-bloggers.
Author: Iñaki Úcar.
If you have any machine with an SSH server open to the world and you take a look at your logs, you may be alarmed to see so many login attempts from so many unknown IP addresses. DenyHosts is a pretty neat service for Unix-based systems which works in the background reviewing such logs and appending the offending addresses into the hosts.deny file, thus avoiding brute-force attacks.
The following R snippet may be useful to quickly visualise a hosts.deny file with logs from DenyHosts. Such file may have comments (lines starting with #), and actual records are stored in the form read.table is more than enough to load it into R. The rgeolocate package is used to geolocate the IPs, and the counts per country are represented in a world map using rworldmap:
library(dplyr)
library(rgeolocate)
library(rworldmap)hosts.deny "/etc/hosts.deny"
db "extdata", "GeoLite2-Country.mmdb", package="rgeolocate")read.table(hosts.deny, col.names=c("service", "IP")) %>%
pull(IP) %>%
maxmind(db, fields="country_code") %>%
count(country_code) %>%
as.data.frame() %>%
joinCountryData2Map(joinCode="ISO2", nameJoinColumn="country_code") %>%
mapCountryData(nameColumnToPlot="n", catMethod="pretty", mapTitle="Attacks per country")## 74 codes from your data successfully matched countries in the map
## 2 codes from your data failed to match with a country code in the map
## 168 codes from the map weren't represented in your data
Then, you may consider more specific access restrictions based on IP prefixes…
Article originally published in Enchufa2.es: Visualising SSH attacks with R.
Related
R-bloggers.com offers daily e-mail updates about R news and tutorials on topics such as: Data science, Big Data, R jobs, visualization (ggplot2, Boxplots, maps, animation), programming (RStudio, Sweave, LaTeX, SQL, Eclipse, git, hadoop, Web Scraping) statistics (regression, PCA, time series, trading) and more…
Leave a Reply
You must be logged in to post a comment.