{"id":18263187,"url":"https://github.com/ctrlaltdev/illegal-auth-attempts","last_synced_at":"2025-04-04T20:31:05.790Z","repository":{"id":95988697,"uuid":"120498903","full_name":"ctrlaltdev/illegal-auth-attempts","owner":"ctrlaltdev","description":"🔒 Lists of IPs making illegal auth attempts and users used doing so","archived":false,"fork":false,"pushed_at":"2021-06-04T05:25:13.000Z","size":6497,"stargazers_count":13,"open_issues_count":3,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-20T18:11:56.823Z","etag":null,"topics":["auth","infosec","ip","login","scan","security","ssh","user"],"latest_commit_sha":null,"homepage":"https://ctrlalt.dev/IAA","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ctrlaltdev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-02-06T17:46:56.000Z","updated_at":"2023-09-08T17:36:16.000Z","dependencies_parsed_at":null,"dependency_job_id":"36cf210e-79cc-49d1-8a03-2eca23d1091e","html_url":"https://github.com/ctrlaltdev/illegal-auth-attempts","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ctrlaltdev%2Fillegal-auth-attempts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ctrlaltdev%2Fillegal-auth-attempts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ctrlaltdev%2Fillegal-auth-attempts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ctrlaltdev%2Fillegal-auth-attempts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ctrlaltdev","download_url":"https://codeload.github.com/ctrlaltdev/illegal-auth-attempts/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247246281,"owners_count":20907767,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth","infosec","ip","login","scan","security","ssh","user"],"created_at":"2024-11-05T11:10:19.438Z","updated_at":"2025-04-04T20:31:05.784Z","avatar_url":"https://github.com/ctrlaltdev.png","language":"Shell","readme":"[![GitHub release](https://img.shields.io/github/release/ctrlaltdev/illegal-auth-attempts.svg?style=for-the-badge)](https://github.com/ctrlaltdev/illegal-auth-attempts/releases)\n[![licence](https://img.shields.io/github/license/ctrlaltdev/illegal-auth-attempts.svg?style=for-the-badge)](https://github.com/ctrlaltdev/illegal-auth-attempts/blob/master/LICENCE.md)\n![Python](https://img.shields.io/badge/_-Python-4B8BBE.svg?style=for-the-badge)\n![Bash](https://img.shields.io/badge/_-SH-4EAA25.svg?style=for-the-badge)\n\nThis set of scripts aims to extract from auth attempts or device scanning IPs and users used for those auth attempts.\n\n### IPS\n\nThe top 10 IPs are:\n\n| IP              | Count |\n| --------------- | -----:|\n| 103.27.239.2 | 11209 |\n| 116.31.116.2 | 11122 |\n| 116.31.116.27 | 10805 |\n| 123.183.209.139 | 10079 |\n| 216.117.56.68 | 9535 |\n| 103.99.0.188 | 5760 |\n| 59.63.166.104 | 5505 |\n| 61.177.172.64 | 5505 |\n| 18.217.140.251 | 5064 |\n| 59.63.188.32 | 4808 |\n\n#### Map\n![Map of first 1000 IPs](https://github.com/ctrlaltdev/illegal-auth-attempts/raw/master/map/map.png)\n\n### Users\n\nThe top 10 users are:\n\n| User    | Count |\n| ------- |-----:|\n| test | 10587 |\n| admin | 8576 |\n| user | 7008 |\n| ubuntu | 5348 |\n| pi | 4460 |\n| ftpuser | 4375 |\n| oracle | 4147 |\n| postgres | 3831 |\n| guest | 3343 |\n| nagios | 2495 |\n\n### Files\n\nIf you didn't use the fetch script to get you `IPs.log` and `users.log`, you can put your `auth.log` or `secure` files in `import/sources/` (those files are ignored by git, so it won't be uploaded) - then you have to import them - refer to importing section\n\nIf you used the fetch script, put your `IPs.log` and `users.log` files in `import/` and prefix them to distinguish them from other users' files and devices (please only use letters, numbers, dash and underscore in the prefix - I use a githubusername_devicename pattern)\n\n### How and what\n\n#### Fetching\n\nThe `fetch/fetch.sh` script get from `/var/log/auth.log` the IPs and users of the previous day lines of the log. Hence it has to be run only once a day to get everything and to not duplicate data.\n\nMoreover, for it to work, the cron has to be able to read `/var/log/auth.log` or `/var/log/secure`.\n\n#### Importing\n\nIf you're fetching IPs and Users on several devices and want to centralize everything on one, you can put your `auth.log` or `secure` files in `import/sources/`.\n\nPlease prefix your auth.log or secure files per device in order to distinguish them, I use a githubusername_devicename pattern (only use letters, numbers, dash and underscore in the prefix, or it won't work).\n\n#### Counting and sorting\n\nOnce enough data gathered, and the `IPs.log` and `users.log` are created in `import/`, the `IAA.sh` will create unique IPs and users lists, as well as lists with count of their occurences in the original logs, sorted descendingly.\n\n#### Prerequisites\n\n- An `/var/log/auth.log` (or the fetch script will have to be adaptated to your auth logging)\n- Python 3\n\n### Contributing\n\nYou can run this script on your public facing devices to collect the IPs and users too, and if you want to contribute, please refer to Import section.\nOnce you're done, run `./import.sh` if needed, and `./IAA.sh` - commit and then create a pull request.\n\nNote that you will need git lfs for `src/` and `import/`.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fctrlaltdev%2Fillegal-auth-attempts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fctrlaltdev%2Fillegal-auth-attempts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fctrlaltdev%2Fillegal-auth-attempts/lists"}