Hostnames of Internet addresses suspected of SSH password authentication attacks

Added By mrflip

Dragon Research Group (DRG) sshpwauth report

Entries consist of fields with identifying characteristics of a a source IP address that has been seen attempting to remotely login to a host using SSH password authentication. This report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks. Each entry is sorted according to a route origination ASN. An entry for the IP address may be listed more than once if there are multiple origin AS (MOAS) announcements for the covering prefix. We use the Team Cymru IP address to ASN mapping service to construct a origin AS number and name. For details about this Team Cymru service, see

Formatting is as follows:

ASN  |  ASname  |  saddr  |  utc  |  category

Each field is described below. Please note any special formatting rules to aid in processing this file with automated tools and scripts. Blank lines may be present to improve the visual display of this file. Lines beginning with a hash (‘#’) character are comment lines. All other lines are report entries. Each field is separated by a pipe symbol (‘|’) and at least two whitespace characters on either side.

  • ASN Autonomous system number originating a route for the entry IP address. Note, 4-byte ASNs are supported and will be displayed as a 32-bit integer.
  • ASname A descriptive network name for the associated ASN. The name is truncated to 30 characters.
  • saddr The source IPv4 or IPv6 address that is being reported.
  • utc A last seen timestamp formatted as YYYY-MM-DD HH:MM:SS and in UTC time.
  • category Descriptive tag name for this entry. For this report, the text sshpwauth will appear.

To read more about SSH password authentication issues and how to mitigate SSH password authentication brute force attacks based on report data such as this, see:

README: The sshpwauth report is for free for non-commercial use ONLY. If you wish to discuss commercial use of this service, please contact the Dragon Research Group (DRG) for more information. Redistribution of the sshpwauth report is prohibited without the express permission of the Dragon Research Group (DRG).

This report is informational. It is not a blacklist, but some operators may choose to use it to help protect their networks and hosts in the forms of automated reporting and mitigation services. The data is provided on an as-is basis with no expressed warranty or guarantee of accuracy. Use of this data is at your own risk. If you have questions about this report do not hesitate to contact us by any of the means below.

The Dragon Research Group (DRG) is a volunteer research organization dedicated to further the understanding of online criminality and to provide actionable intelligence for the benefit of the entire Internet community.