Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/meesaltena/SSHHeatmap

Generates a heatmap of IP's that made failed SSH login attempts.
https://github.com/meesaltena/SSHHeatmap

Last synced: 3 months ago
JSON representation

Generates a heatmap of IP's that made failed SSH login attempts.

Host: GitHub
URL: https://github.com/meesaltena/SSHHeatmap
Owner: meesaltena
License: mit
Created: 2020-04-24T13:08:47.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2024-10-16T15:42:19.000Z (3 months ago)
Last Synced: 2024-10-18T14:03:55.179Z (3 months ago)
Language: Python
Size: 79.1 KB
Stars: 265
Watchers: 7
Forks: 12
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

my-awesome-starred - meesaltena/SSHHeatmap - Generates a heatmap of IP's that made failed SSH login attempts. (Python)

README

# SSHHeatmap
Generates a heatmap of IPs that made failed SSH login attempts on linux systems, using /var/log/auth.log to get failed attempts. Uses the ipinfo.io library to fetch the IP address coordinates, and folium to generate the [heatmap](https://xkcd.com/1138/).

## To try it

Set `$IPINFO_TOKEN` envvar and run:

$ make install view

It creates virtualenv using `pipenv`, run the sshheatmap script in it,
and opens your webbrowser with the heatmap generated from
`/var/log/auth.log*`.

## Dependencies
- Python >3.11
- folium
- ipinfo
- requests

```bash
pip install -r requirements.txt
````

## Installation & Usage

Use wget (or curl, or git clone) to download the script.
```bash
wget https://raw.githubusercontent.com/meesaltena/SSHHeatmap/master/SSHHeatmap.py
```

Use grep to generate a text file that contains the logging entries of failed ssh connection attempts. Pattern matches login attempts with a password as well as an ssh key.
```bash
grep "authentication failure\| Failed password" /var/log/auth.log > failed_attempts.txt
```
Or use /var/log/secure if /var/log/auth.log doesn't exist
```bash
grep "authentication failure\| Failed password" /var/log/secure > failed_attempts.txt
```
Get a free [ipinfo](https://ipinfo.io/) api key.

Run the script, passing the required ipinfo api key. You can run it without arguments buy setting the key manually.

```bash
python SSHHeatmap.py -k API_KEY
```

You can pass additional arguments to set the minimum number of login attempts required for the IP address to be included in the heatmap, and the file name to use for the heatmap.

```bash
python SSHHeatmap.py [-h] [-i INPUT] [-t THRESHOLD] [-o OUTPUT] -k API_KEY
```

- -i INPUT, --input INPUT:
- Input filepath of: grep "authentication failure\| Failed password" /var/log/auth.log > [filename] (default: failed_attempts.txt)
- -t THRESHOLD, --threshold THRESHOLD:
- Minimum number of attempts before an ip is included in the heatmap (default: 50)
- -o OUTPUT, --output OUTPUT:
- Filename of the heatmap output (default: heatmap.html)

Open the generated heatmap HTML file in a browser.

## Possible improvements
- use local geoip database for location lookup instead of ipinfo api call
- add legend to folium map

## License
[MIT](https://choosealicense.com/licenses/mit/)