SSH Noise Report, August 2014

SSH Noise Report, August 2014


Ever seen those odd bot logins on your SSH ports in your syslog? Yeah, me too. If you were wondering where they're from, have a look at this monthly column!

Ever since I described how to track SSH offenders using Google Analytics, I've been collecting those stats and I've been quite itching to report on my findings. Collecting these stats holds some strange sort of fascination for me, so please excuse my enthusiasm. I'll try to report on this monthly from now on; hope some of you are interested enough in reading the reports. The collected data is extracted from syslog and contains any and all interactions with SSH; almost all of these include logins to unknown users or otherwise failed login attempts. This data is collected on several systems, spread over America, Europe and South Africa. More importantly, they're with different providers. None of the systems are owned by Google, in case you were wondering.

So there we go. This first report contains noise from August 14th to September 12th. First the most interesting part: graphs! Starting with the cities and countries where all that noise on the SSH ports that I'm getting is coming from:

Heatmap of SSH crack attempts, August 2014; highlighting cities.Heatmap of SSH crack attempts, August 2014; highlighting countries.

In the given time frame, the top five countries where offending connections were coming from were as follows:

3South Korea9,41512,912
4United States7,92513,296

It is perhaps unsurprising that China takes the lead with approximately 48% of the total number of connections. I'm thinking this is quite unsurprising due to the sheer number of people and - presumably - computers in that country. It'll be interesting to correlate this with the number of people in the country in a future report. More surprising, however, is that Germany is the second most common source of illicit login attempts with approximately 10% of the sessions originating there. Especially considering the archaic computer security laws in that country and the miniscule amount of people living there compared to China. Also, none of the systems used to track offenders were actually in Germany, making this an even more surprising result.

South Korea scores a solid third place. It's too early to determine if this is unusual or not, let's revisit that next month. About half the IP addresses for this experiment were in the United States, so it is somewhat odd that they only managed to secure the fourth place. All other countries have fairly few incidents associated with them and are all under five percent. It'll be interesting to see how this develops over the next few months.

Very surprising, so far, is that there were virtually no events originating in Africa. Especially considering that I do have servers in Johannesburg. Future reports will show whether this is a stable trend or just a fluke this time.

If you're interested, have a look at the full reports taken straight from Google Analytics:

If you're interested in doing a similar experiment, I've since written a node.js daemon called analyticsd that makes it trivially easy to collect this data in combination with Google Analytics.

Hope this satisfies your curiousity like it did mine. If it did, come back in a month for the next report! Enjoy your week and remember to stay safe!

Written by Magnus Deininger ().