Red Green Repeat Adventures of a Spec Driven Junkie

Why You Should Secure Your Server (part 2)

I continue my analysis of SSH logs I obtained from my informal experiment I started in the previous article.

This time I use a tool to lookup the location of the entries in the file and share where access are coming from to my server.

You will learn how to use GeoIP to lookup physical location of IP addresses and which countries like to do port scans.

This article will take you about five minutes to read.

Gerhard Emmoser - Celestial globe with clockwork source and more information


In my last article, I started an experiment by opening the SSH port on my cloud server. I collected an analyzed the logs to find that I am not the only person trying to access my private server.


The GeoIP tool from MaxMind allows one to lookup the physical source of an IP address.

I have IP addresses of the top port scanners of my server, from each entry in the SSH log as:

Jan 11 08:34:21 ip-172-31-1-163 sshd[2245]: Received disconnect from 11: [preauth]

Let’s using the GeoIP tool directly, we can find the origin of these port scanners:

scans IP Address Country
4685 PL, Poland
1000 CN, China
706 CN, China
675 TR, Turkey
658 CN, China

From the list, the top port scanners came from three countries:

  1. Poland
  2. China
  3. Turkey

One person in Poland did more than 4k scans on my server? Wow, that’s aggressive number of port scan to do in one month.

Question: All Port scan origins?

These were the top port scanners, how about the 14k other port scanners? Are they all just from these three countries?

Let’s look up the countries of all port scans entries in GeoIP:

 cat auth.log | grep -oE 'Received disconnect.*' |
	awk '{ print $4 }' | sed -n -e 's/://p' |
	awk '{ print $0 system("geoiplookup " $1) }' | tr '\n' '|' |
	xargs -n 2 -d '|' | sed -n -e 's/0$//p' |
	sed -n -e 's/GeoIP Country Edition: //p' |
	awk '{ printf("%s %s\n", $(NF), $0 ) } END { print }' |
	awk '{ $(NF)=""; print $0 }' | head -n -1 |
	awk '{ $1=""; print $0 }' | sort | uniq -c | sort -n | tail
scans Country
5627 CN, China
4686 PL, Poland
762 US, United States
743 TR, Turkey
609 IT, Italy
518 KR, Korea, Republic of
439 NL, Netherlands
379 GB, United Kingdom
228 RU, Russian Federation
140 VN, Vietnam

Individually, one person from Poland did the most port scans, as a group, China did the most port scans.

At 10k port scans over a month, there would be a port scan every five minutes on your server from either Poland or China!

Total Number of Countries?!

Now I am wondering, what are the number of different countries show up in my logs??

cat auth.log | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | 
  awk '{ print $0 system("geoiplookup " $1) }' | tr '\n' '|' | 
  xargs -n 2 -d '|' | sed -n -e 's/0$//p' | 
  sed -n -e 's/GeoIP Country Edition: //p' | 
  awk '{ printf("%s %s\n", $(NF), $0 ) } END { print }' | 
  awk '{ $(NF)=""; print $0 }' | head -n -1 | sort | uniq -c | wc -l

There are 41 different countries that show up in the SSH log. The UN recognizes 193 countries in the world, this means, 20% of the countries in the world were trying to access my server!


In the first part, I analyzed my SSH logs and find that there are people other than me aggressively connecting to my server using SSH to login and port scans to find weaknesses.

This time, I use the GeoIP tool from MaxMind to reverse lookup the IP addresses in the logs and show these connections are coming from all over the world, from the data, Poland and China stand out above the rest, including the US, Turkey, Italy, and South Korea.

Access distribution per country is not a blanket: every single person in that country is actively connecting to my server, a few people in that country are relentless in their attempts to exploit my server.

In the next and final part, I show two methods to secure your server that is convenient and let’s you sleep at night.