If you have any machine with an SSH server open to the world and you take a look at your logs, you may be alarmed to see so many login attempts from so many unknown IP addresses. DenyHosts is a pretty neat service for Unix-based systems which works in the background reviewing such logs and appending the offending addresses into the
hosts.deny file, thus avoiding brute-force attacks.
The following R snippet may be useful to quickly visualise a
hosts.deny file with logs from DenyHosts. Such file may have comments (lines starting with
#), and actual records are stored in the form
read.table is more than enough to load it into R. The
rgeolocate package is used to geolocate the IPs, and the counts per country are represented in a world map using
library(dplyr) library(rgeolocate) library(rworldmap) hosts.deny <- "/etc/hosts.deny" db <- system.file("extdata", "GeoLite2-Country.mmdb", package="rgeolocate") read.table(hosts.deny, col.names=c("service", "IP")) %>% pull(IP) %>% maxmind(db, fields="country_code") %>% count(country_code) %>% as.data.frame() %>% joinCountryData2Map(joinCode="ISO2", nameJoinColumn="country_code") %>% mapCountryData(nameColumnToPlot="n", catMethod="pretty", mapTitle="Attacks per country")
## 74 codes from your data successfully matched countries in the map ## 2 codes from your data failed to match with a country code in the map ## 168 codes from the map weren't represented in your data
Then, you may consider more specific access restrictions based on IP prefixes…
Article originally published in Enchufa2.es: Visualising SSH attacks with R.