How To Get Your Most and Top SSH Port Attacker From Terminal

SSH port is only one of the most typical ports being bombarded and attacked by unauthorized hosts trying to get access to your server via SSH port. Preventing these SSH port attacks from unauthorized hosts can be done in many several ways. By default SSH setup, SSH daemon service echoes its SSH activities to default SSH log file. And these SSH log files can provide SSH-related activity prints to server administrators in many ways that might lead a hint to any recent and successful unauthorized SSH access.

Here's a quick way on how to list down the most refused hosts from gaining access to server via SSH port.

Get Most Refused Hosts From SSH Port

From this example, we would cover all dates of SSH server log files. These are  /var/log/secure* files. By default, refused connections are being logged with 'refused' keyword from SSH log files. To get the top list of most refused external hosts from accessing SSH port, simply

#  cat /var/log/secure* | grep 'refused' | awk '{print $9}' | sort | uniq -c | sort -k1 -rn

A similar results

61 213.193.229.165
22 213.25.19.17
13 77.37.12.128
12 24.39.139.188
6 207.245.33.81
5 60.5.187.104
3 83.13.106.66
3 81.246.54.90
3 77.85.212.15

[sniff...]

As you can see, the topmost line from the above SSH log shows that there were 61 refused SSH attempts made from a host with an IP address of 213.193.229.165 . The list goes on. Assuming that the IP address is unknown to you and not part of any hosts from your administered local network, you can assume that this could be an attack attempt via SSH port.

Get Top 10 Hosts for Most SSH Port Attacks

To list down the top 10 SSH port attacker only, simply use the head command like so

#  cat /var/log/secure* | grep 'refused' | awk '{print $9}' | sort | uniq -c | sort -k1 -rn | head -10


All is done.