SSH Login-Attempt Analyzer & Alerting Tool
SSH Login-Attempt Analyzer & Alerting Tool
The Goal: To build a focused Python utility that cuts through SSH “alert fatigue” by automatically detecting brute-force login attempts. Instead of wading through hundreds of auth-log entries, this tool flags any IP address that exceeds a configurable number of failed logins within a short time window, turning raw data into high-fidelity alerts.
The Setup: I organized the project in a local folder called ssh-login-analyzer, with a data/ subfolder holding a sample CSV export of my SSH auth.log. A Python package ssh_analyzer/ contains four modules: parser.py, analyzer.py, reporter.py, and cli.py, and I manage dependencies in a venv virtual environment. Matplotlib is installed for plotting, and the standard library (csv, datetime, argparse) handles the core logic.
The Process: First, the parser reads each line of data/auth_sample.csv using csv.DictReader, converts timestamp strings into datetime objects, and wraps them in simple LogEntry tuples. Next, the analyzer groups all “Failed” attempts by IP and slides a timedelta window (default 60 seconds) across each IP’s failure timestamps, looking for counts that exceed the threshold. Whenever an IP crosses that boundary, an alert record is generated. Then the reporter writes those alerts to alerts.csv and uses Matplotlib to draw alerts.png, a bar chart of failure counts per IP. Finally, the CLI module ties it all together under argparse, so running one command processes the log and emits both data and graphic outputs.
What I Found: Using a threshold of just 2 failures in 60 seconds, the tool correctly flagged IP 192.168.1.100, which had two failed login attempts within three seconds. The generated alerts.csv captured that IP, its first and last failure timestamps, and the count of failures. The bar chart clearly showed that single offender, demonstrating how a few lines of Python can transform SSH logs into clear, actionable intelligence and allows security analysts to focus on real threats instead of log entries.
Python | CSV processing | datetime & timedelta Arithmetic | Object-Oriented Design | argparse CLI | Matplotlib Visualization, Virtual Environments