Hostile attacks

This repository contains protocols of hostile attacks.

Once a day in the morning the data of the previous day gets collected using journalctl:

journalctl --identifier sshd --since=yesterday --until=today --priority=notice --output=json

Next the IP addresses are extracted using jq:

jq -c '{ts:._SOURCE_REALTIME_TIMESTAMP}+(.MESSAGE|capture("authentication failure.* rhost=(?<ip>[^ ]+) "))'

And the locations are looked up in the IPFire location database using location-lookup.

location-lookup ip

Name		Name	Last commit message	Last commit date
Latest commit History 22 Commits
.gitignore		.gitignore
2025-05-01.sshd.json		2025-05-01.sshd.json
2025-05-02.sshd.json		2025-05-02.sshd.json
2025-05-03.sshd.json		2025-05-03.sshd.json
2025-05-04.sshd.json		2025-05-04.sshd.json
2025-05-05.sshd.json		2025-05-05.sshd.json
2025-05-06.sshd.json		2025-05-06.sshd.json
2025-05-07.sshd.json		2025-05-07.sshd.json
2025-05-08.sshd.json		2025-05-08.sshd.json
2025-05-09.sshd.json		2025-05-09.sshd.json
2025-05-10.sshd.json		2025-05-10.sshd.json
2025-05-11.sshd.json		2025-05-11.sshd.json
2025-05-12.sshd.json		2025-05-12.sshd.json
2025-05-13.sshd.json		2025-05-13.sshd.json
2025-05-14.sshd.json		2025-05-14.sshd.json
LICENSE		LICENSE
README.md		README.md
TOP20.md		TOP20.md
import-country		import-country
import-hostile		import-hostile
postgre.sql		postgre.sql
top20		top20
top20.json		top20.json
top20.sql		top20.sql

Provide feedback