SSH Brute Force / Spray Detection Report

Log: auth_demo.log
Time range: 2025-12-12 17:10:03 → 2025-12-12 18:06:43
Last 60 minutes

Executive Summary

Detected activity: 1 high-confidence brute-force source(s) and 1 lower-rate credential spray pattern(s) across 3 unique source IPs.
Primary risk: Source 45.33.12.101 generated 15 failed SSH authentication attempts in a short time window, consistent with automated brute-force behavior.
Scope note: This analysis evaluates failed authentication attempts only. Successful login events were not assessed in this dataset.
Recommended response: Block or rate-limit flagged sources immediately and validate SSH hardening controls.

Scope & Metrics

Total failures: 23
Unique source IPs: 3
Unique users targeted: 2

Flagged Findings

IP	Technique	Severity	Fails	Burst	First	Last	Geo	Org
45.33.12.101	burst_bruteforce	High Medium	15	15	2025-12-12 18:06:01	2025-12-12 18:06:43	Richardson, Texas, US	AS63949 Akamai Connected Cloud

Observed Activity

IP	Technique	Severity	Fails	Burst	First	Last	Geo	Org
185.199.110.32	slow_spray_or_scan	Informational Low	6	1	2025-12-12 17:10:03	2025-12-12 18:00:03	San Francisco, California, US	AS54113 Fastly, Inc.
73.22.44.18	low_signal	Informational Low	2	2	2025-12-12 18:04:20	2025-12-12 18:04:32	(Residential) US	Unknown ASN (demo)

Evidence & Recommended Actions

Flagged Source: 45.33.12.101

Technique: burst_bruteforce
Severity: High (Medium)
Total failures: 15
Observed: 2025-12-12 18:06:01 → 2025-12-12 18:06:43

Dec 12 18:06:01 ip-10-0-0-5 sshd[1310]: Failed password for invalid user admin from 45.33.12.101 port 51310 ssh2
Dec 12 18:06:04 ip-10-0-0-5 sshd[1311]: Failed password for invalid user admin from 45.33.12.101 port 51311 ssh2
Dec 12 18:06:07 ip-10-0-0-5 sshd[1312]: Failed password for invalid user admin from 45.33.12.101 port 51312 ssh2
Dec 12 18:06:10 ip-10-0-0-5 sshd[1313]: Failed password for invalid user admin from 45.33.12.101 port 51313 ssh2
Dec 12 18:06:13 ip-10-0-0-5 sshd[1314]: Failed password for invalid user admin from 45.33.12.101 port 51314 ssh2
Dec 12 18:06:16 ip-10-0-0-5 sshd[1315]: Failed password for invalid user admin from 45.33.12.101 port 51315 ssh2
Dec 12 18:06:19 ip-10-0-0-5 sshd[1316]: Failed password for invalid user admin from 45.33.12.101 port 51316 ssh2
Dec 12 18:06:22 ip-10-0-0-5 sshd[1317]: Failed password for invalid user admin from 45.33.12.101 port 51317 ssh2

Recommended Actions

Block or rate-limit the source IP at firewall, security group, or WAF level.
Disable SSH password authentication where feasible; enforce key-based access.
Restrict SSH exposure to trusted IP ranges or VPN access if possible.
Review authentication logs for any successful logins near the observed time window.
Confirm rate-limiting or lockout controls (e.g., fail2ban) are enabled and tuned.

This report is based on failed SSH authentication logs only and is intended for incident triage and control validation.