SSH... or catch me if you can!

The purpose of this graph is to quickly see the kind of authentication provided by your SSH, see how many users are in the ssh login game, who fails and how many different location they log from.

The script used to generate the PCV language is ssh-auth2pcv.pl. Data were then anonymized and I removed the "Accepted " word to make a bigger distance between "Accepted publickey" and "Accepted keyboard-interactive".

Graph

Analysis

Lines are in red for failed logins, black in any other case.

First axis: Time

Nothing much to say that people almost log anytime. No very wide range of time where there is no login: that must be a geek machine ;-)

Second axis: Authentication type

There are three types. The one of top is publickey, at the middle we have keyboard-interactive/pam and at the bottom we can see Authentication failure. The public key is more used than any other authentication type.

Third axis: Source

There are several different sources where the users log in from. That should either be a travelers machine or a compromised one.

Fourth axis: Login

There are three logins used on the machine. Two logs from three different place, one logs from the same place to two logins: he must be the administrator. One logs from about ten places and has some failed logins.