Visualizing sshd brute-force attempts

Trying out with some interesting results…

1.—

This one is a Splunk query, run over the span of the last 7 days:

sourcetype="ossec_alerts" rule_number="5710"|
rex field=_raw "Invalid user (?<userid>[^ ]+) from"|
fields + src_ip,userid|fields - _*|
dedup src_ip userid|
outputcsv ssh-atk-attempts-userid-ip

2.—

Then some data massaging on the csv file…

[edit: this is not needed…just output the csv file with the fields in the order you want…and read the next post for better options with 2-column csv inputs]

cat ssh-atk-attempts-userid-ip.csv | 
sed 's/^.*$/&,server/' > ssh-atk-attempts-userid-ip2.csv

3.—

Then running it thru Afterglow and GraphViz’s neato…

cat ssh-atk-attempts-userid-ip2.csv | 
./afterglow.pl | neato -Tgif -o ssh-atk-ip-userid.gif

Seems like very little overlap in the userids that were attempted (with the exception of the few favourites like root, guest, test).  A coordinated/distributed attack perhaps?  Haven’t dug more into the IPs in question, but I’m pretty sure that they’d be broadband addresses, meaning that they are bots.

Of course we could try with a larger timespan, but the result isn’t really readable… The resulting 1MB file (1813 x 1704 px) for over all time in Splunk only looks pretty, and not readable.

[edit: there’re better results in the next post!]

Advertisements

One thought on “Visualizing sshd brute-force attempts”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s