Home Projects Blog Info

Live Map of IPs Attacking my Server

Cool looking map of all the attacks

What is this map?

This map is a representation of the geo-locations associated with those IP addresses which have attempted to illegally access my ssh server. This map is updated hourly and uses data from the last 4 days. Each circle represents an IP address. The size of the circle is representative of the number of attempts each IP address has made.

Why is my country filled with hackers?

Hold on, this map doesn't necessarily tell you who is authorizing these attacks. These attacks could be originating from rented servers on a hosting service like AWS or compromised computers in a botnet. Hackers, spammers, and other criminals use these techniques to help cover their tracks and prevent their identities from being discovered. It would be very stupid for a criminal to use their home's IP addresses to launch attacks from. That being said, you never know.

Where does this data come from?

In most linux based operating systems, a file located at /var/log/auth.log stores all the authentication attempts on your computer. So, all I do is run through this file for log events such as:

May 20 11:51:06 MyComputer sshd[20393]: User root from 121.18.238.115 not allowed because not listed in AllowUsers

This is a fairly common log entry that you might find. The IP 121.18.238.115 is attempting to login with the user root. In my server, I banned the user root from being used over ssh, however, that doesn't stop other nefarious individuals from trying. Gaining access to a computer without the permission of its owner is illegal under US CODE ยง1030 otherwise known as the Computer Fraud and Abuse act. That's why I consider this log entry to be a single attack attempt originating from the IP address 121.18.238.115.

Why are there so many attacks?

Honestly I have no idea. My guess is that whatever organizations/individuals that conduct these attacks figure that the very small probability, yet potentially large payout, of gaining access to a poorly configured server is large enough to offset the low cost of operating these attacks. Of course, these brute force attacks are mostly a waste of time.

Any advice on how to keep my server secure?

I don't know. Why are you asking me?