If you have any machine with an SSH server open to the world and you take a look at your logs, you may be alarmed to see so many login attempts from so many unknown IP addresses. DenyHosts is a pretty neat service for Unix-based systems which works in the background reviewing such logs and appending the offending addresses into the
hosts.deny file, thus avoiding brute-force attacks.
The following R snippet may be useful to quickly visualise a
hosts.deny file with logs from DenyHosts. Such file may have comments (lines starting with
#), and actual records are stored in the form
<service>: <IP>. Therefore,
read.table is more than enough to load it into R. The
rgeolocate package is used to geolocate the IPs, and the counts per country are represented in a world map using
library(dplyr) library(rgeolocate) library(rworldmap) hosts.deny <- "/etc/hosts.deny" db <- system.file("extdata", "GeoLite2-Country.mmdb", package="rgeolocate") read.table(hosts.deny, col.names=c("service", "IP")) %>% pull(IP) %>% maxmind(db, fields="country_code") %>% count(country_code) %>% as.data.frame() %>% joinCountryData2Map(joinCode="ISO2", nameJoinColumn="country_code") %>% mapCountryData(nameColumnToPlot="n", catMethod="pretty", mapTitle="Attacks per country") ## 74 codes from your data successfully matched countries in the map ## 2 codes from your data failed to match with a country code in the map ## 168 codes from the map weren't represented in your data
Then, you may consider more specific access restrictions based on IP prefixes…Article originally published in Enchufa2.es: Visualising SSH attacks with R.