# How to install sshanalysis on Linux
This research is under review.
sshanalysis has been downloaded by 484 users worldwide.
<pre>
sshanalysis is available in public and can be installed
by pip command:
$pip install -U sshanalysis
</pre>
# How to run sshanalysis on Linux
<pre>
$ sshanalysis your_ssh_log_file
or
$ sshanalysis /var/log/auth.log
or
When you run the following command, the file /var/log/auth.log will be used automatically.
$ sshanalysis
</pre>
# Background of sshanalysis
In 2021, 100% of the world’s top 500 supercomputers run on Linux.
96.3% of the world’s top 1 million servers run on Linux.
90% of all cloud infrastructures operate on Linux.
There are well over 1 billion sites on the world wide web.
According to wappalyzer.com, world wide web servers run on Apache 41%, Nginx 39%, IIS 7%,
and LiteSpeed 5% respectively.
Apache and Nginx are based on open-source software.
Without Linux and open-source software, the Internet would not exist.
In other words, Linux and open source software are indispensable for the Internet.
SSH is now used by almost every data center in the world and more than half of the world's Web servers are managed using SSH.
Malicious attackers have been using true IP (internet protocol) addresses, spoofed IPs, and
springboard hosts's IPs.
Using the mixed IPs can cause DDoS (Distributed Denial of Service) attacks.
Currently it is hard to distinguish true IPs and spoofed IPs.
Therefore, it is hard to mitigate a DDoS attack.
A botnet (short for "robot network") is a network of computers infected
with malware and under the control of a single attacking party.
There are several general log analysis tools:
General log analysis tools: Graylog, Nagios, Elastic Stack, LOGalyze, and Fluentd.
There is several open-source tools for analyzing ssh-attacks:
"ssh-tracker" or "commons-ssh tracker".
This repository introduces a visualization tool, sshanalysis for investigating IPs
that are attacking a ssh server via ssh.
sshanalysis is a new open-source ssh-tracker tool that visualizes all the IPs
and country names that are making ssh attacks against a ssh server.
Top 10 IPs with country names will be displayed on a simplified circle-graph.
In Debian and Ubuntu, /var/log/auth.log is a log file of recorded attacks.
# auth.log analysis
With /var/log/auth.log "read permission", any user can analyze IPs attacking against
a ssh server.
The following graphs show the number of recorded attacks and top 10 IPs.
The larger circle, the more number of attacks against a ssh server.
Although, country names were embedded on each graph,
no one knows whether captured IPs are true, spoofed, or springboarded.
sshanalysis can generate all IPs with the number of recorded attacks.
sshanalysis can generate top 10 IPs information associated with locations (country names).
<img src='https://github.com/y-takefuji/sshanalysis/raw/main/neuro.png' width=640 height=480>
<img src='https://github.com/y-takefuji/sshanalysis/raw/main/gpu1.png' width=640 height=480>
<img src='https://github.com/y-takefuji/sshanalysis/raw/main/gpu2.png' width=640 height=480>
<img src='https://github.com/y-takefuji/sshanalysis/raw/main/gpu3.png' width=640 height=480>
<img src='https://github.com/y-takefuji/sshanalysis/raw/main/gpu4.png' width=640 height=480>
# sshanalysis.py
sshanalysis.py consists of three modules.
The first module generates a csv file containing the number of recorded attacks
against the sorted IP addresses by using a /var/log/auth.log file or the specified log_file.
The second module is for generating the country names associated with the captured IP addresses in the specified log_file.
And the last module is for drawing a circle-graph.
The graph contains top 10 IPs with country names where the radius of the circle
indicates the number of attacks.
The larger the circle, the more attacks against the ssh server.
sshanalysis.py can generate an IPs file (all attacking IPs with the number of attacks),
top 10 r.csv file (the number of attacks, IP address, country name),
and r.png (circle graph).
We don't know whether captured IPs are true, spoofed, or springboarded.
# auth.log
The maximum size of github file is 25M.
The split command is used to split the auth.log file into multiple files of 20M in size.
$ split -b 20M auth.log auth_log
My auth.log was split into two files: auth_logaa and auth_logab.
To create auth.log, cat auth_log* >auth.log
Raw data
{
"_id": null,
"home_page": "https://github.com/y-takefuji/sshanalysis",
"name": "sshanalysis",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": null,
"keywords": null,
"author": "yoshiyasu takefuji",
"author_email": "takefuji@keio.jp",
"download_url": "https://files.pythonhosted.org/packages/02/33/a9dd516fec23f940d6deda0d27ba5af1eed3878f2222b8efef0a016fa38a/sshanalysis-0.0.2.tar.gz",
"platform": null,
"description": "# How to install sshanalysis on Linux\nThis research is under review.\n\nsshanalysis has been downloaded by 484 users worldwide.\n\n<pre>\nsshanalysis is available in public and can be installed \nby pip command:\n$pip install -U sshanalysis\n</pre>\n\n# How to run sshanalysis on Linux\n<pre>\n$ sshanalysis your_ssh_log_file\nor\n$ sshanalysis /var/log/auth.log\nor\nWhen you run the following command, the file /var/log/auth.log will be used automatically.\n$ sshanalysis\n</pre>\n\n# Background of sshanalysis\nIn 2021, 100% of the world\u2019s top 500 supercomputers run on Linux.\n\n96.3% of the world\u2019s top 1 million servers run on Linux.\n\n90% of all cloud infrastructures operate on Linux.\n\nThere are well over 1 billion sites on the world wide web.\n\nAccording to wappalyzer.com, world wide web servers run on Apache 41%, Nginx 39%, IIS 7%, \nand LiteSpeed 5% respectively.\n\nApache and Nginx are based on open-source software.\n\nWithout Linux and open-source software, the Internet would not exist.\n\nIn other words, Linux and open source software are indispensable for the Internet.\n\nSSH is now used by almost every data center in the world and more than half of the world's Web servers are managed using SSH.\n\nMalicious attackers have been using true IP (internet protocol) addresses, spoofed IPs, and\nspringboard hosts's IPs.\n\nUsing the mixed IPs can cause DDoS (Distributed Denial of Service) attacks.\n\nCurrently it is hard to distinguish true IPs and spoofed IPs.\n\nTherefore, it is hard to mitigate a DDoS attack.\n\nA botnet (short for \"robot network\") is a network of computers infected \nwith malware and under the control of a single attacking party.\n\nThere are several general log analysis tools: \nGeneral log analysis tools: Graylog, Nagios, Elastic Stack, LOGalyze, and Fluentd.\n\nThere is several open-source tools for analyzing ssh-attacks: \n \"ssh-tracker\" or \"commons-ssh tracker\".\n \nThis repository introduces a visualization tool, sshanalysis for investigating IPs \nthat are attacking a ssh server via ssh.\n\nsshanalysis is a new open-source ssh-tracker tool that visualizes all the IPs \nand country names that are making ssh attacks against a ssh server. \nTop 10 IPs with country names will be displayed on a simplified circle-graph.\n\nIn Debian and Ubuntu, /var/log/auth.log is a log file of recorded attacks.\n\n# auth.log analysis\nWith /var/log/auth.log \"read permission\", any user can analyze IPs attacking against \na ssh server.\n\nThe following graphs show the number of recorded attacks and top 10 IPs. \nThe larger circle, the more number of attacks against a ssh server.\nAlthough, country names were embedded on each graph,\nno one knows whether captured IPs are true, spoofed, or springboarded.\n\nsshanalysis can generate all IPs with the number of recorded attacks.\nsshanalysis can generate top 10 IPs information associated with locations (country names).\n\n<img src='https://github.com/y-takefuji/sshanalysis/raw/main/neuro.png' width=640 height=480>\n<img src='https://github.com/y-takefuji/sshanalysis/raw/main/gpu1.png' width=640 height=480>\n<img src='https://github.com/y-takefuji/sshanalysis/raw/main/gpu2.png' width=640 height=480>\n<img src='https://github.com/y-takefuji/sshanalysis/raw/main/gpu3.png' width=640 height=480>\n<img src='https://github.com/y-takefuji/sshanalysis/raw/main/gpu4.png' width=640 height=480>\n\n# sshanalysis.py\nsshanalysis.py consists of three modules. \nThe first module generates a csv file containing the number of recorded attacks \nagainst the sorted IP addresses by using a /var/log/auth.log file or the specified log_file. \nThe second module is for generating the country names associated with the captured IP addresses in the specified log_file. \nAnd the last module is for drawing a circle-graph.\n\nThe graph contains top 10 IPs with country names where the radius of the circle \nindicates the number of attacks. \nThe larger the circle, the more attacks against the ssh server.\n\nsshanalysis.py can generate an IPs file (all attacking IPs with the number of attacks), \ntop 10 r.csv file (the number of attacks, IP address, country name), \nand r.png (circle graph).\n\nWe don't know whether captured IPs are true, spoofed, or springboarded.\n\n# auth.log\nThe maximum size of github file is 25M.\n\nThe split command is used to split the auth.log file into multiple files of 20M in size.\n\n$ split -b 20M auth.log auth_log\n\nMy auth.log was split into two files: auth_logaa and auth_logab.\n\nTo create auth.log, cat auth_log* >auth.log\n\n\n\n\n\n",
"bugtrack_url": null,
"license": null,
"summary": "A visualization analysis tool against ssh-server attacks",
"version": "0.0.2",
"project_urls": {
"Bug Tracker": "https://github.com/y-takefuji/sshanalysis",
"Homepage": "https://github.com/y-takefuji/sshanalysis"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "0790969f96f313f0515cf690635db9a5d70feb4f7025259d2c229d242619b811",
"md5": "15400bb9948713155737a3aeea338b01",
"sha256": "b126d37733cb3d1eb5552ba755070c4dc8c0fcda203815ca0311688f64b0adc0"
},
"downloads": -1,
"filename": "sshanalysis-0.0.2-py3-none-any.whl",
"has_sig": false,
"md5_digest": "15400bb9948713155737a3aeea338b01",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 5055,
"upload_time": "2024-05-14T07:35:40",
"upload_time_iso_8601": "2024-05-14T07:35:40.445311Z",
"url": "https://files.pythonhosted.org/packages/07/90/969f96f313f0515cf690635db9a5d70feb4f7025259d2c229d242619b811/sshanalysis-0.0.2-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "0233a9dd516fec23f940d6deda0d27ba5af1eed3878f2222b8efef0a016fa38a",
"md5": "be4143267dd0b86781e80808dafc6f24",
"sha256": "0ca8bd4dfd3d87e55cf1e877f8d713957222a1054fb0b168772ebca2e09f3885"
},
"downloads": -1,
"filename": "sshanalysis-0.0.2.tar.gz",
"has_sig": false,
"md5_digest": "be4143267dd0b86781e80808dafc6f24",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 4888,
"upload_time": "2024-05-14T07:35:41",
"upload_time_iso_8601": "2024-05-14T07:35:41.435490Z",
"url": "https://files.pythonhosted.org/packages/02/33/a9dd516fec23f940d6deda0d27ba5af1eed3878f2222b8efef0a016fa38a/sshanalysis-0.0.2.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-05-14 07:35:41",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "y-takefuji",
"github_project": "sshanalysis",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "sshanalysis"
}
JSON
