SSH Bruteforcing

In December 2007 we deployed our first SSH honeypot, based on a modification of OpenSSH where we in addition to usernames also log passwords. As of today, we have a total of four pots, located on four different Norwegian ISPs. Although we’re still in the process of collecting data, we plan on publishing different kinds of statistics, graphs and analysis on the way. The plan is to do a more thorough analysis later this year, and also publish everything we have, including a complete dump of the ssh database.

Below is a distribution map of all the attacks we’ve registered so far (a total of approximately 1.1 million attacks). Though not the most interesting piece of information, believe it or not, this is what most senior management types wants :)

View a larger version of the map

Not surprisingly, USA and China tops our statistics with almost 320k attacks combined. Otherwise we see attacks coming from almost every corner of the world that have a fair amount of Internet users, though the numbers are in general much lower than for our two countries on top.

If you’re interested in the specific numbers, click here to download a CSV file containing the dataset.

Update: When I posted this yesterday, I commented on the lack of attacks originating from the US, and this made me double check yesterdays result. And for some unknown reason I had limited the queries to only a few of the honeypots, hence missing a lot of significant data. Sorry about that! The map is almost correct now, it’s only missing 894 attacks coming from an unknown origin and 125 attacks which simply resolved to EU (European Union).