Skip to content
/ ssh-log-intrusion-detector Public

Python tool to detect SSH brute-force attacks by analyzing auth logs.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

JosefGh/ssh-log-intrusion-detector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
detector.py
detector.py
 
 

Repository files navigation

🛡️ SSH Log Intrusion Detector

A simple Python-based security tool that analyzes SSH authentication logs, identifies failed login attempts, and detects potential brute-force attacks.
This project demonstrates practical log analysis, Python scripting, and defensive (blue-team) security skills — ideal for students building experience in cybersecurity.

🚀 Features

  • 🔍 Extracts failed SSH login attempts
  • 📌 Identifies attacker IP addresses
  • 📊 Counts failed attempts per IP
  • ⚠️ Flags suspicious IPs based on a threshold
  • 📁 Generates JSON reports for further analysis
  • 🖥️ Works with Linux auth.log or a sample test log

📁 Project Structure

.
├── detector.py          # Main Python script
├── sample_auth.log      # Sample log file for testing
├── report.json          # Generated JSON report
└── screenshots/         # (Optional) store screenshot images

🧪 Example Output

=== Top attacking IPs (by failed attempts) ===
198.51.100.7   -> 6 failed attempts
203.0.113.5    -> 3 failed attempts
192.168.0.10   -> 2 failed attempts

=== Suspicious IPs (>= threshold) ===
198.51.100.7   -> 6 failed attempts [SUSPICIOUS]

⚙️ Installation

1. Clone the repository

git clone https://github.com/JosefGh/ssh-log-intrusion-detector.git
cd ssh-log-intrusion-detector

2. Run the script

Windows:

python .\detector.py

Linux / macOS:

python3 detector.py

🛠️ Usage

Default usage (analyzes sample_auth.log)

python detector.py

Analyze a real Linux auth.log

python detector.py -f /var/log/auth.log

Change brute-force threshold

python detector.py -t 20

Save to custom JSON

python detector.py -o results.json

📊 JSON Report Example

{
    "total_unique_ips": 3,
    "failed_attempts_per_ip": {
        "198.51.100.7": 6,
        "203.0.113.5": 3,
        "192.168.0.10": 2
    },
    "suspicious_ips": {
        "198.51.100.7": 6
    }
}

🧪 Tested in a Real SSH Lab

This tool was tested against real SSH authentication logs on a Kali Linux system running under WSL2:

  • OpenSSH server running on Kali (WSL2)
  • Real failed login attempts generated from SSH clients
  • /var/log/auth.log enabled and parsed directly with python3 detector.py -f /var/log/auth.log

This simulates a realistic blue-team scenario where an analyst investigates brute-force activity against an SSH server.

🧠 What I Learned

  • Fundamentals of log analysis
  • Detecting brute-force behavior in logs
  • Building CLI tools with Python
  • Using argparse, regex, and collections.Counter
  • Thinking like a defender (blue team)

🔮 Future Improvements

  • 🌍 GeoIP lookup
  • 📈 Visual dashboard
  • 📨 Email alerts
  • 🧵 Log rotation support
  • 🐳 Docker containerization

📜 License

MIT License

About

Python tool to detect SSH brute-force attacks by analyzing auth logs.

Topics

python ssh log-analysis cybersecurity security-tools blue-team

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages