Introduction: probably one of the most common newbie fails is to open port 22 to the world. This way, you can get a beautiful light show, with the ethernet led connection blinking 24 hours a day. In the worst case you get some not desired visitors in your Raspberry Pi.

Background: I visit regularly Raspberry Pi’s official forums, specially the Spanish one. There are good guys with great projects there, and I learnt there how to secure my Raspberry Pi. How to check that everything is working fine? You can grep the different log files, but when logs are getting big you get new ones while old ones are zipped. Checking old and new ones, remembering the number of attacks you saw last time is a boring duty. I wanted to create some bash script but finally decided to use Python. The code is as follows:

#!usr/bin/env python
#This program analyzes auth.log files (both unzipped and zipped) and counts failed and accepted login attempts, subtracting our own attempts.
#Created by Iker García.
import os
import os.path
import glob
import gzip
import time

a = 0 #Variable to store accepted log number from previous runs.
b = 0 #Variable to count accepted log number.
c = 0 #Variable to store failed log number from previous runs.
d = 0 #Variable to count failed log nuber.

if os.path.isfile(".Acceptedlogdb"): #Searches for accepted login database (hidden), if exists updates the value of a.
  db = open(".Acceptedlogdb", "r")
  for dbline in db:
    a = dbline 

if os.path.isfile(".Failedlogdb"): #Searches for failed login database (hidden), if exists updates the value of c.
  db2 = open(".Failedlogdb", "r")
  for dbline2 in db2:
    c = dbline2

os.chdir("/var/log") #Changes directory to /var/log.
filenames = glob.glob("auth.log*") #Reads unzipped auth.log files.
for file in filenames:
  f=open(file, "r") 
  for line in f:
    if "Accepted password" in line: #Counts accepted login attempts.
      b = b+1
    elif "Accepted password for 192.*" in line: #Subtracts accepted login attempts from our own IP.
      b = b-1
    elif "Accepted password for *.*.*.*" in line: #Subtracts accepted login attempts from another own IP.
      b = b-1
    if "Failed password" in line: #Counts failed login attempts.
      d =  d+1
    elif "Failed password for 192.*" in line: #Subtracts failed login attempts from our own IP.
      d = d-1
    elif "Failed password for *.*.*.*" in line: 
      d = d-1

zipfile = glob.glob("auth.log.*.gz") #Reads zipped auth.log files.
for zip in zipfile:
  with, "r") as zf:
    for zline in zf:
      if "Accepted password" in zline: #Same behaviour as previous if statements.
        b = b+1
      elif "Accepted password for 192.*" in zline:
        b = b-1
      elif "Accepted password for *.*.*.*" in zline:
        b = b-1
      if "Failed password" in zline: 
        d = d+1
      elif "Failed password for 192.*" in zline:
        d = d-1
      elif "Failed password for *.*.*.*" in zline:
	d = d-1

a = int(a) #a variable must be int type.
c = int (c) #c vairable must be int type.
sa = b - a  #Successful login attempts (Successful attacks).
ra = d - c #Rejected login attempts (Rejected attacks).

os.chdir("/home/pi") #Changes directory to the one where a log is going to be stored.

log = open("SSHlog.txt","a") #Creates a log text.
log.write(time.strftime("%b %d %Y "))
log.write("New successful attacks: ")
log.write("%s" % sa)
log.write("New rejected attacks: ")
log.write("%s" % ra)

a = b #Updates the values of a and c variables stored in the databases. 
c = d

db = open(".Acceptedlogdb", "w") #Updates accepted login database.
db.write("%s" % a)
db2 = open(".Failedlogdb", "w") #Updated failed login database.
db2.write("%s" % c)

I think everything is explained in the same code, so you can see how it works. Anyway, you can ask whatever you want. The name this time is SSHlogger.

Here is the repo: Contributions are welcome!

Actually I am thinking that it would be a good idea to create a graphical environment. No idea, new challenge!



Hi Iker,

Thanks for the code.

How are the ‘own IP’ addresses identified?



You’re welcome. Thank you for your answer and the rest of you for the likes.

If you’re using any machine connected to the local network to access your Raspberry Pi, the IP should be like 192.168.1.x. You can ensure that SSHlogger works if you use one, or one hundred machines writing down: 192.168.* . * (no spaces, but text is formatted if I write * without the spaces) in the corresponding if statements. This way it will subtract any IP which matches 192.168. any other numbers in the other positions.

In my case I also use my smartphone to access while I’m outside, that’s why I added another if statement for IPs that don’t match the 192… example written down above. In configuration, about the phone (or something like that, mine is in Spanish so I don’t know exactly how look like Android menus in English) you can find the IP of your phone.

Hope this answers your question and I didn’t misunderstood it. Anyway, you can ask if you want.