one
final version
First a little background on what Im doing. Our group at the Media Lab has a number of computers that are open to the Internet. By that, I mean they run some kind of server and are unprotected by firewall or any other type of device to limit the incoming traffic. As a result, the machines all see a lot of break-in attempts. Lately, weve been seeing a lot of a particularly bone-headed strategy where the attacker literally tries hundreds of usernames and passwords hoping to guess one. The downside to these attacks is 1) they are surprisingly successful and 2) they bog the machines down because the login attempts come in quick succession for up to 20 minutes. Since we started seeing these, Ive wanted to understand them better. I have observed a few random things, like the usernames that are attempted are very different during different attack sessions. I suspect this probably means that there are a number of different attackers using this same technique. Also, it seems the attackers often try to attack more than one of our machines at a time. However, its hard to figure out how these attacks are playing out over time on fifteen different machines by examining the logs, but a graphical depiction would likely make it apparent at a glance.
I decided to change the focus of my question a little bit and concentrate on which accounts are "under fire" from these ssh attacks. The graphic
shows the 200 most attacked usernames. Hovering over a username will isolate the relevant attacks on the timeline.
source