Badguys part 1 - Harvest malicious IP who knocks at your door

Have you ever wondered how many unauthorized login might be attempted on any service exposed to the internet? In this article I'm going to explain how I trace all the attempted logins on my SSH box to get an idea of how many badguys are there on the internet.

My setup:

Failed login attempts can be feteched searching for "Failed password for" in /var/log/auth.log (log file might be different based on your distro):

grep "Failed password for" /var/log/auth.log

Sample output:

We might have 2 different kind of message depending on whether the user is “valid” (i.e. exists, like root) or not on the SSH box; so in order to extract sensible data I've built this one-liner:

grep "Failed password for" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -gr -k1

Explanation:grep "Failed password for" /var/log/auth.log
Extract the lines for each failed login attempt

awk '{print $(NF-3)}'
for each line, extract the last-fourth column only which contains the source IP address

sort
Result are sorted (for the sake of the next command)

uniq -c
Extract only unique occurrences of every source IP

sort -gr -k1
Results are sorted again to create a top-n list

In the end, take a look here where you can find all the logs I'm collecting every once in a while: http://www.readonlymaio.org/sw/index.php?b=badguys

Using the same approach above, we can extract the list of the (distinct) usernames used and build your own users dictionary:

grep "Failed password for" /var/log/auth.log | awk '{print $(NF-5)}' | sort | uniq

Here you can find the list of all the usernames used by the badguys: http://www.readonlymaio.org/sw/badguys/badguys_usernames.txt