• Subscribe to the low volume list for updates.

SSH Blacklisting and Attack Visualization

A system of running SSH Blacklisting can quickly devolve into a game of whack a mole as the attacking IP addresses will frequently change. However, in order to reduce noise in your security logging some blacklisting of SSH attackers can be another layer in your defence.

Fail2ban is a script that detects brute force SSH attacks against an SSH server and then uses IP tables or other firewall to block the offending IP address. This reduces noise in your logs from many thousands of failed SSH logins.

The site www.blocklist.de compiles lists of detected attacking IP addresses from fail2ban reports across the Internet.

Using the list that contains all ssh attacks detected for the last 48 hours, we have produced some charts showing the locations and network blocks from where the attacking IP addresses originated. Note that these systems could be the source IP address of an active attacker but are more likely compromised hosts that had poor ssh passwords. The hosts get compromised by an SSH bot script and the host then becomes an active part of the botnet attempting to spread further through simple ssh password guessing.

With the blacklist of ssh attackers I have put together some visualizations of the source addresses. Similar to what I did for the Tor Exit Nodes.

Tips for Securing Your SSH Server

Move your ssh daemon to another port such as 2222
Using a high port is a layer of security in that, it avoids the automated noise that hits 22. Every hour of every day. With cleaner monitoring and logs, when you do see attempts against your high port it is more likely to be an actual targeted attack.
Ensure your passwords are complex and not dictionary based
Commonsense really. Easy passwords are easy to guess. Password lists containing thousands of common passwords including common words with numbers or exclamation marks at the end. Make it hard to guess, make it unique.
Use OSSEC or another monitoring tool
Install OSSEC or another log monitoring HIDS and get some alerts if anyone does hit your SSH server on that high port.

These charts are updated daily with detected attacks from the last 48 hours.

SSH Source Attackers By Country

The locations and net blocks are more an indication of where the compromised hosts are located rather than where the attackers (SSH Bot Masters) are located.

SSH Brute Force Attacks By ASN - Internet Service Provider (Top 20)

SSH Brute Force Attacks by Country (Top 20)

Have you seen our other Free IP and Network Testing tools.
Discover. Explore. Learn.

Next level testing with advanced Security Vulnerability Scanners.
Trusted tools. Hosted for easy access.