Skip to content

Instantly share code, notes, and snippets.

@rohan-molloy
Last active March 29, 2020 05:35
Show Gist options
  • Save rohan-molloy/152e41696e2fac64f91f64d5fb59d195 to your computer and use it in GitHub Desktop.
Save rohan-molloy/152e41696e2fac64f91f64d5fb59d195 to your computer and use it in GitHub Desktop.
### Prints a CSV of the AS origin of SSH intrusion attempts
### Format: as_number,bgp_prefix,country_code,rir_name,date_allocated,num_occurrences
### d7d3db009fd67083faf1276a1b69ebfa097cc5400f202f95551aa94115d7ddcd
for ip in $(journalctl -u ssh -u sshd --since -${period:-'1day'}|awk '/Failed/{print $(NF-3)}');
do dig $(tac -s.<<<"$ip.")origin.asn.cymru.com +short txt; done \
| sort --numeric-sort \
| uniq --count \
| sort --numeric-sort \
| sed 's/ | /,/g' \
| tr -d \" \
| awk '{print $2","$1}' \
| tee ssh-attempts-by-asn-$(date +%s);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment