Detecting SSH Brute Force Attacks with Python: Building a Simple Monitor

One of the most common and persistent threats to any server exposed to the internet is the brute force SSH attack. These are automated attempts to guess login credentials by repeatedly trying combinations of usernames and passwords. Left unchecked, they can waste system resources, fill up log files, and occasionally even succeed if weak credentials are in use.

Fortunately, detecting brute force attacks is well within reach using Python. By monitoring your system’s authentication logs and tracking failed login attempts, you can identify patterns, block offending IP addresses, and alert administrators before any real damage is done.

In this article, we will walk through the process of building a lightweight Python-based SSH brute force monitor. It is a practical and educational project that will strengthen both your Python skills and your understanding of real-world threats.

Let’s begin with where brute force attempts leave their trace — the logs. On most Linux systems, SSH login activity is recorded in /var/log/auth.log or /var/log/secure depending on the distribution. Every failed attempt generates an entry including the username, IP address, and timestamp. By scanning this file, we can extract and analyze the data to detect abuse.

The basic idea is simple: if the same IP address fails to log in too many times within a short time frame, it is probably not a legitimate user. Your script can then log this activity, notify an admin, or even ban the IP address automatically.

You do not need complex tools to make this happen. With Python, you can open the log file, read it line by line, and use regular expressions to pull out the relevant parts. The script can keep track of failed attempts by IP in a dictionary and compare the number of attempts against a defined threshold.

Here is how the monitoring logic works at a high level:

1. Read from the SSH authentication log
2. Search for lines that indicate a failed login
3. Extract the offending IP address and timestamp
4. Keep a count of failed attempts per IP
5. If an IP exceeds your threshold, log it as suspicious
6. Optionally, trigger an alert or response action

This approach is simple, but very effective. You can run the script periodically using cron or keep it running continuously in the background, depending on your needs. You might also build in logging so you can review which IPs were blocked or flagged over time.

One thing to be careful of is avoiding re-parsing the same entries. If your script reads from the top of the log file every time it runs, you will get duplicate results. A good solution is to track the last read position using a small marker file, or even just process only new entries since the last run.

As your script evolves, there are many features you can add:

• GeoIP lookup: See where attacks are coming from geographically
• Whitelist: Avoid blocking trusted internal IP addresses
• Firewall integration: Use tools like iptables or ufw to block attackers
• Email alerts: Notify admins of suspicious behavior immediately
• Dashboard logging: Send events to a web dashboard or database for further analysis

Python’s flexibility means you can tailor this tool to fit any environment. In smaller settings, it might be your first line of defense. In larger networks, it can supplement existing intrusion detection systems.

Here are a few enhancements to make your monitor more powerful:

• Sliding time window: Track how many failed attempts occurred within a set time period, such as five minutes
• Concurrency: Use threads or asynchronous processing to monitor multiple files or services at once
• Success correlation: Detect suspicious activity followed by a successful login from the same IP
• Log rotation support: Ensure your script handles rotated logs gracefully

The more context you can build around each event, the smarter your response will be. The goal is not just to stop attacks, but to understand them — their frequency, tactics, and origin.

Once you have your SSH monitor running, you will likely be surprised by how often brute force attempts happen. Even low-profile servers receive regular attention from automated bots. Being able to see this in action reinforces the importance of basic hardening measures like using strong credentials, disabling root login, and enabling key-based authentication.

If you are looking to practice your Python skills on a real problem that defenders face every day, building an SSH brute force monitor is an ideal project. It teaches you to parse logs, track state, automate responses, and think like both an attacker and a defender. Best of all, it is something you can build quickly and improve over time.

To go further, check out my 17-page PDF guide, Mastering Cybersecurity with Python: The Complete Pro Guide to Network Defense. It includes deeper dives into detection logic, script examples, and more hands-on projects for defensive Python development. You can download it now for just five dollars.

And if you have enjoyed this article or the series so far, I invite you to buy me a coffee. Your support helps me keep producing practical, focused cybersecurity content for learners and professionals alike.