Method and device for realizing SSH brute force cracking defense through log analysis

By combining log analysis and threat intelligence, the risk level of SSH brute-force attacks is assessed and corresponding measures are taken, which solves the problem of low efficiency in existing defenses and achieves efficient SSH brute-force attack defense and reduces false alarms.

CN115834109BActive Publication Date: 2026-06-19WUHAN ZBANK CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
WUHAN ZBANK CO LTD
Filing Date
2022-09-27
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing security measures are ineffective against SSH brute-force attacks, resulting in low defense efficiency, high false alarm rates, and increased maintenance workload.

Method used

By combining log analysis and threat intelligence, the security risk level of attack behavior is defined, and corresponding measures are taken according to the level, including IP address recording, threat score assessment, and different levels of defense strategies.

Benefits of technology

It achieves efficient defense against SSH brute-force attacks, reduces false alarms, improves defense efficiency, and takes timely security emergency measures in the event of high-level attacks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115834109B_ABST
    Figure CN115834109B_ABST
Patent Text Reader

Abstract

This technology is applied in the field of network security. This invention provides a method and apparatus for defending against SSH brute-force attacks through log analysis. The purpose of this invention is to solve the problem of inefficiency in existing security defense measures when they cannot cope with brute-force attacks. The main solution includes: acquiring security logs and system logs from monitoring devices and providing them to the perception module; acquiring the attacker's source IP address, username, and time; the perception module recording the attack source IP address, username, and time information in memory and performing statistics within a set time period; querying third-party professional threat intelligence to return the attack source IP address attribution information and threat score; the log threat analysis module defining the danger level of the brute-force threat based on the attack source IP address and threat score; and implementing different corresponding response measures based on the risk identification results of the threat analysis module.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This technology is applied in the field of network security. This invention provides a method and device for SSH brute-force attack defense through log analysis. Background Technology

[0002] SSH brute-force attacks are the most common method of hacking. This method is low-cost and highly threatening. If the brute-force attack is successful, the hacker can directly obtain server privileges, intrude into the private network, and cause network security risks and data breaches.

[0003] Currently, traditional Linux and cloud servers defend against attacks by configuring the local Linux login authentication module (PAM). When hackers launch brute-force attacks, the login authentication module prevents attacks by setting an attack threshold. When the attack exceeds the threshold, the attacker's IP and account are added to a blacklist to prevent the attacker from continuing to try. This method can only effectively delay the attack, but it does not achieve the effect of defense. At the same time, if the brute-force attack is successful, no security alert will be generated, so it does not achieve the effect of effective alerting and defense.

[0004] As attack methods and techniques constantly evolve and innovate, attackers bypass traditional authentication modules by continuously changing attack IP addresses, usernames, and lowering thresholds, rendering traditional PAM-based defenses ineffective. In business service usage, SSH services are often used as secure SFTP services for file exchange between external channels and internal systems. Threshold-based defenses are unsuitable for this business application. Furthermore, in routine maintenance of Linux and cloud servers, automated login and business execution scripts are used for daily monitoring and backups. Incorrect passwords in these scripts generate numerous false positives, increasing the workload for security operations. In conclusion, traditional threshold-based defenses, coupled with false positives and increased workload, render existing security measures inefficient in dealing with brute-force attacks. Therefore, efficiently defending against SSH brute-force attacks is a pressing issue that needs to be addressed.

[0005] This invention provides a technology for efficiently defending against SSH brute-force attacks based on log behavior analysis and threat intelligence. The technical points described in this patent can define security risks based on attack logs and threat intelligence information through behavioral scenarios, and take different measures according to the level of security risk, thus efficiently defending against SSH brute-force attacks. Summary of the Invention

[0006] The purpose of this invention is to solve the problem of low efficiency in existing security defense measures when they cannot cope with brute-force attacks.

[0007] To achieve the above objectives, the present invention adopts the following technical solution:

[0008] A method for preventing SSH brute-force attacks through log analysis includes the following steps:

[0009] Step 1: The server and cloud host obtain security logs and system logs from the monitoring devices through the monitoring log module and provide them to the perception module;

[0010] Step 2: When an attacker attacks the server and cloud host through SSH brute-force attacks, the key log field information of the attacker is obtained through the log module monitoring. The key log field information includes the attack source IP address, username, and time.

[0011] Step 3: The "perception module" records the attack source IP address, username, and time information in memory, and performs statistics within the set time period.

[0012] Step 4: Through third-party professional threat intelligence query, return the IP address attribution information and threat score of the attack source;

[0013] Step 5: The log threat analysis module defines the danger level of brute-force threats based on the attack source IP address and threat score;

[0014] Step 6: Based on the risk identification results from the threat analysis module, implement corresponding different handling measures.

[0015] In the above technical solution, the time period mentioned in step 3 is: within 1 minute, within 5 minutes, within 10 minutes, within 1 hour, and within 24 hours, respectively, and statistics are performed.

[0016] In the above technical solution, step 5 includes the following steps:

[0017] Step 5.1: If any of the conditions in 5.a-5.d apply, the threat level is defined as low.

[0018] 5.a. Threat score below 60 points;

[0019] 5.b. When it is detected that the number of times the same IP attempts to brute-force the server using different usernames and passwords exceeds a preset threshold within a unit of time (e.g., greater than or equal to 10 times in 1 minute, greater than or equal to 20 times in 5 minutes), it is determined that the IP has engaged in brute-force attack behavior.

[0020] 5.c. When it is detected that the same IP attempts to expose the server using the same username and different passwords and the number of times the password is used exceeds the preset threshold (5 times within 1 minute, 20 times within 5 minutes), it is determined that the IP has engaged in brute-force attack behavior.

[0021] 5.d. When different source IPs attempt to expose the server using different usernames and passwords, and the number of failed attempts exceeds the preset threshold (3 times within 1 minute, 10 times within 5 minutes), and the source IP address is determined to be a foreign IP address by threat intelligence, and the threat score exceeds 70 points, it is determined that the IP has brute-force attack behavior.

[0022] Step 5.2: The threat level is defined as medium if the following conditions are met:

[0023] 5.e. When a frequently used login IP address attempts to log in to the server and cloud host from an unused region (the source IP address is determined by threat intelligence), and the number of failed attempts exceeds a preset threshold (e.g., 5 or more times in 1 minute, 10 or more times in 5 minutes), it is determined that the behavior constitutes brute-force attack.

[0024] Step 5.3: If any of the conditions 5.f-5.g apply, the threat level is defined as high.

[0025] 5.f. If a frequently used login IP is detected to successfully log in to different servers in a non-frequently used region, and if the number of successful logins exceeds a preset threshold (1 time), it is determined that the behavior constitutes account hacking.

[0026] 5.g. When a frequently used login IP is detected logging into different servers and unused server network segments during unused time periods (00:00-07:00), and there are lateral connections, if the number of failed attempts exceeds a preset threshold (e.g., 5 times or more in 1 minute, 10 times or more in 5 minutes), it is determined that the behavior constitutes a brute-force attack. If there are successful login records, the hacker has successfully obtained server privileges.

[0027] Step 5.4: The following conditions are defined as having an extremely high threat level:

[0028] 5.h If, within a unit of time, different source IP addresses or the same source IP address fail 10 times, 100 times, and succeed only once, and there is a successful login record, then the server is determined to have been successfully brute-force attacked. Security emergency response is required.

[0029] In the above technical solution, step 5:

[0030] Step 5.1 The threshold is 10 times or more in 1 minute and 20 times or more in 5 minutes;

[0031] Step 5.2 The threshold is 5 times within 1 minute and 20 times within 5 minutes;

[0032] Step 5.3 The threshold is 3 times within 1 minute and 10 times within 5 minutes;

[0033] Step 5.4 The threshold is 5 times or more in 1 minute and 10 times or more in 5 minutes;

[0034] Step 5.5 The threshold is 1 time;

[0035] Step 5.6 Thresholds: 5 times or more in 1 minute, 10 times or more in 5 minutes.

[0036] In the above technical solution, step 6 includes the following steps:

[0037] Step 6.1: For low-level threats: blacklist the threats using the host's built-in SSHD module; Step 6.2: For medium-level threats: confirm the issue with the relevant system administrator via a support ticket or SMS, clarify whether the administrator is currently on a business trip, and simultaneously disable the attack source IP address and username information.

[0038] 6.3 For threats of a high level: if the system administrator's account password has been compromised, immediately disable the attack source IP address and login username using the built-in SSHD module, and immediately activate the security emergency response process;

[0039] 6.4 For threats classified as extremely high: It is preliminarily determined that the system password has been successfully cracked. Immediately disable the attack source IP address and login username using the built-in SSHD module, take the server offline, and immediately activate the security emergency response process.

[0040] This invention also provides a device for preventing SSH brute-force attacks through log analysis, comprising:

[0041] The monitoring log module, servers, and cloud hosts obtain security logs and system logs from the monitoring devices and provide them to the perception module. When attackers attempt to attack servers and cloud hosts via SSH brute-force attacks, the log module monitors and obtains key log fields from the attackers, including the attack source IP address, username, and time.

[0042] The sensing module records the attack source IP address, username, and time information in memory, and performs statistics within a set time period.

[0043] A third-party professional threat intelligence query module returns information on the IP address of the attack source and a threat score.

[0044] The threat level module and log threat analysis module define the danger level of brute-force threats based on the attack source IP address and threat score;

[0045] The execution module, based on the risk identification results from the threat analysis module, implements different corresponding handling measures.

[0046] In the aforementioned device, the time period described by the sensing module is: within 1 minute, within 5 minutes, within 10 minutes, within 1 hour, and within 24 hours, respectively, and statistics are performed.

[0047] The threat level module in the above device is implemented by the following steps:

[0048] Step 5.1: If any of the conditions in 5.a-5.d apply, the threat level is defined as low.

[0049] 5.a. Threat score below 60 points;

[0050] 5.b. When it is detected that the number of times the same IP attempts to brute-force the server using different usernames and passwords exceeds a preset threshold within a unit of time (e.g., greater than or equal to 10 times in 1 minute, greater than or equal to 20 times in 5 minutes), it is determined that the IP has engaged in brute-force attack behavior.

[0051] 5.c. When it is detected that the same IP attempts to expose the server using the same username and different passwords and the number of times the password is used exceeds the preset threshold (5 times within 1 minute, 20 times within 5 minutes), it is determined that the IP has engaged in brute-force attack behavior.

[0052] 5.d. When different source IPs attempt to expose the server using different usernames and passwords, and the number of failed attempts exceeds the preset threshold (3 times within 1 minute, 10 times within 5 minutes), and the source IP address is determined to be a foreign IP address by threat intelligence, and the threat score exceeds 70 points, it is determined that the IP has brute-force attack behavior.

[0053] Step 5.2: The threat level is defined as medium if the following conditions are met:

[0054] 5.e. When a frequently used login IP address attempts to log in to the server and cloud host from an unused region (the source IP address is determined by threat intelligence), and the number of failed attempts exceeds a preset threshold (e.g., 5 or more times in 1 minute, 10 or more times in 5 minutes), it is determined that the behavior constitutes brute-force attack.

[0055] Step 5.3: If any of the conditions 5.f-5.g apply, the threat level is defined as high.

[0056] 5.f. When it is detected that the frequently used login Vs successfully logs into different servers in a non-frequently used region, and the presence of VPN network connection is monitored, if the number of successful logins exceeds the preset threshold (1 time), it is determined that the behavior indicates account hacking.

[0057] 5.g. When a frequently used login IP is detected logging into different servers and unused server network segments during unused time periods (00:00-07:00), and there are lateral connections, if the number of failed attempts exceeds a preset threshold (e.g., 5 times or more in 1 minute, 10 times or more in 5 minutes), it is determined that the behavior constitutes a brute-force attack. If there are successful login records, the hacker has successfully obtained server privileges.

[0058] Step 5.4: The following conditions are defined as having an extremely high threat level:

[0059] 5.h If, within a unit of time, different source IP addresses or the same source IP address fail 10 times, 100 times, and succeed only once, and there is a successful login record, then the server is determined to have been successfully brute-force attacked. Security emergency response is required.

[0060] In the aforementioned device, the threat level module includes:

[0061] Step 5.1 The threshold is 10 times or more in 1 minute and 20 times or more in 5 minutes;

[0062] Step 5.2 The threshold is 5 times within 1 minute and 20 times within 5 minutes;

[0063] Step 5.3 The threshold is 3 times within 1 minute and 10 times within 5 minutes;

[0064] Step 5.4 The threshold is 5 times or more in 1 minute and 10 times or more in 5 minutes;

[0065] Step 5.5 The threshold is 1 time;

[0066] Step 5.6 Thresholds: 5 times or more in 1 minute, 10 times or more in 5 minutes.

[0067] In the above-mentioned device, the execution module includes the following steps:

[0068] Step 6.1: For low-level threats: blacklist the threats using the host's built-in SSHD module; Step 6.2: For medium-level threats: confirm the issue with the relevant system administrator via a support ticket or SMS, clarify whether the administrator is currently on a business trip, and simultaneously disable the attack source IP address and username information.

[0069] 6.3 For threats of a high level: if the system administrator's account password has been compromised, immediately disable the attack source IP address and login username using the built-in SSHD module, and immediately activate the security emergency response process;

[0070] 6.4 For threats classified as extremely high: It is preliminarily determined that the system password has been successfully cracked. Immediately disable the attack source IP address and login username using the built-in SSHD module, take the server offline, and immediately activate the security emergency response process.

[0071] Because the present invention adopts the above-described technical solution, it has the following beneficial effects:

[0072] This approach analyzes security logs to define security threat levels and develop corresponding security solutions, addressing the inefficiency of existing security defenses in dealing with brute-force attacks. Attached Figure Description

[0073] Figure 1 This is a simplified flowchart of the security threat assessment process of the present invention; Detailed Implementation

[0074] The embodiments of the present invention will be described in detail below. Although the present invention will be described and illustrated in conjunction with some specific embodiments, it should be noted that the present invention is not limited to these embodiments. On the contrary, any modifications or equivalent substitutions made to the present invention should be covered within the scope of the claims of the present invention.

[0075] Furthermore, to better illustrate the present invention, numerous specific details are set forth in the following detailed embodiments. Those skilled in the art will understand that the present invention can be practiced without these specific details.

[0076] A method for preventing SSH brute-force attacks through log analysis includes the following steps:

[0077] Step 1: The server and cloud host obtain security logs and system logs from the monitoring devices through the monitoring log module and provide them to the perception module;

[0078] Step 2: When an attacker attacks the server and cloud host through SSH brute-force attacks, the key log field information of the attacker is obtained through the log module monitoring. The key log field information includes the attack source IP address, username, and time.

[0079] Step 3: The "perception module" records the attack source IP address, username, and time information in memory, and performs statistics within the set time period.

[0080] Step 4: Through third-party professional threat intelligence query, return the IP address attribution information and threat score of the attack source;

[0081] Step 5: The log threat analysis module defines the danger level of brute-force threats based on the attack source IP address and threat score;

[0082] Step 6: Based on the risk identification results from the threat analysis module, implement corresponding different handling measures.

[0083] In the above technical solution, the time period mentioned in step 3 is: within 1 minute, within 5 minutes, within 10 minutes, within 1 hour, and within 24 hours, respectively, and statistics are performed.

[0084] In the above technical solution, step 5 includes the following steps:

[0085] Step 5.1: If any of the conditions in 5.a-5.d apply, the threat level is defined as low.

[0086] 5.a. Threat score below 60 points;

[0087] 5.b. When it is detected that the number of times the same IP attempts to brute-force the server using different usernames and passwords exceeds a preset threshold within a unit of time (e.g., greater than or equal to 10 times in 1 minute, greater than or equal to 20 times in 5 minutes), it is determined that the IP has engaged in brute-force attack behavior.

[0088] 5.c. When it is detected that the same IP attempts to expose the server using the same username and different passwords and the number of times the password is used exceeds the preset threshold (5 times within 1 minute, 20 times within 5 minutes), it is determined that the IP has engaged in brute-force attack behavior.

[0089] 5.d. When different source IPs attempt to expose the server using different usernames and passwords, and the number of failed attempts exceeds the preset threshold (3 times within 1 minute, 10 times within 5 minutes), and the source IP address is determined to be a foreign IP address by threat intelligence, and the threat score exceeds 70 points, it is determined that the IP has brute-force attack behavior.

[0090] Step 5.2: The threat level is defined as medium if the following conditions are met:

[0091] 5.e. When a frequently used login IP address attempts to log in to the server and cloud host from an unused region (the source IP address is determined by threat intelligence), and the number of failed attempts exceeds a preset threshold (e.g., 5 or more times in 1 minute, 10 or more times in 5 minutes), it is determined that the behavior constitutes brute-force attack.

[0092] Step 5.3: If any of the conditions 5.f-5.g apply, the threat level is defined as high.

[0093] 5.f. If a frequently used login IP is detected to successfully log in to different servers in a non-frequently used region, and if the number of successful logins exceeds a preset threshold (1 time), it is determined that the behavior constitutes account hacking.

[0094] 5.g. When a frequently used login IP is detected logging into different servers and unused server network segments during unused time periods (00:00-07:00), and there are lateral connections, if the number of failed attempts exceeds a preset threshold (e.g., 5 times or more in 1 minute, 10 times or more in 5 minutes), it is determined that the behavior constitutes a brute-force attack. If there are successful login records, the hacker has successfully obtained server privileges.

[0095] Step 5.4: The following conditions are defined as having an extremely high threat level:

[0096] 5.h If, within a unit of time, different source IP addresses or the same source IP address fail 10 times, 100 times, and succeed only once, and there is a successful login record, then the server is determined to have been successfully brute-force attacked. Security emergency response is required.

[0097] In the above technical solution, step 5:

[0098] Step 5.1 The threshold is 10 times or more in 1 minute and 20 times or more in 5 minutes;

[0099] Step 5.2 The threshold is 5 times within 1 minute and 20 times within 5 minutes;

[0100] Step 5.3 The threshold is 3 times within 1 minute and 10 times within 5 minutes;

[0101] Step 5.4 The threshold is 5 times or more in 1 minute and 10 times or more in 5 minutes;

[0102] Step 5.5 The threshold is 1 time;

[0103] Step 5.6 Thresholds: 5 times or more in 1 minute, 10 times or more in 5 minutes.

[0104] In the above technical solution, step 6 includes the following steps:

[0105] Step 6.1: For low-level threats: blacklist the threats using the host's built-in SSHD module; Step 6.2: For medium-level threats: confirm the issue with the relevant system administrator via a support ticket or SMS, clarify whether the administrator is currently on a business trip, and simultaneously disable the attack source IP address and username information.

[0106] 6.3 For threats of a high level: if the system administrator's account password has been compromised, immediately disable the attack source IP address and login username using the built-in SSHD module, and immediately activate the security emergency response process;

[0107] 6.4 For threats classified as extremely high: It is preliminarily determined that the system password has been successfully cracked. Immediately disable the attack source IP address and login username using the built-in SSHD module, take the server offline, and immediately activate the security emergency response process.

[0108] This invention also provides a device for preventing SSH brute-force attacks through log analysis, comprising:

[0109] The monitoring log module, servers, and cloud hosts obtain security logs and system logs from the monitoring devices and provide them to the perception module. When attackers attempt to attack servers and cloud hosts via SSH brute-force attacks, the log module monitors and obtains key log fields from the attackers, including the attack source IP address, username, and time.

[0110] The sensing module records the attack source IP address, username, and time information in memory, and performs statistics within a set time period.

[0111] A third-party professional threat intelligence query module returns information on the IP address of the attack source and a threat score.

[0112] The threat level module and log threat analysis module define the danger level of brute-force threats based on the attack source IP address and threat score;

[0113] The execution module, based on the risk identification results from the threat analysis module, implements different corresponding handling measures.

[0114] In the aforementioned device, the time period described by the sensing module is: within 1 minute, within 5 minutes, within 10 minutes, within 1 hour, and within 24 hours, respectively, and statistics are performed.

[0115] The threat level module in the above device is implemented by the following steps:

[0116] Step 5.1: If any of the conditions in 5.a-5.d apply, the threat level is defined as low.

[0117] 5.a. Threat score below 60 points;

[0118] 5.b. When it is detected that the number of times the same IP attempts to brute-force the server using different usernames and passwords exceeds a preset threshold within a unit of time (e.g., greater than or equal to 10 times in 1 minute, greater than or equal to 20 times in 5 minutes), it is determined that the IP has engaged in brute-force attack behavior.

[0119] 5.c. When it is detected that the same IP attempts to expose the server using the same username and different passwords and the number of times the password is used exceeds the preset threshold (5 times within 1 minute, 20 times within 5 minutes), it is determined that the IP has engaged in brute-force attack behavior.

[0120] 5.d. When different source IPs attempt to expose the server using different usernames and passwords, and the number of failed attempts exceeds the preset threshold (3 times within 1 minute, 10 times within 5 minutes), and the source IP address is determined to be a foreign IP address by threat intelligence, and the threat score exceeds 70 points, it is determined that the IP has brute-force attack behavior.

[0121] Step 5.2: The threat level is defined as medium if the following conditions are met:

[0122] 5.f. When a frequently used login IP address attempts to log in to the server and cloud host from an unused region (the source IP address is determined by threat intelligence), and the number of failed attempts exceeds a preset threshold (e.g., 5 or more times in 1 minute, 10 or more times in 5 minutes), it is determined that the behavior constitutes brute-force attack.

[0123] Step 5.3: If any of the conditions 5.f-5.g apply, the threat level is defined as high.

[0124] 5.f. If a frequently used login IP is detected to successfully log in to different servers in a non-frequently used region, and if the number of successful logins exceeds a preset threshold (1 time), it is determined that the behavior constitutes account hacking.

[0125] 5.g. When a frequently used login IP is detected logging into different servers and unused server network segments during unused time periods (00:00-07:00), and there are lateral connections, if the number of failed attempts exceeds a preset threshold (e.g., 5 times or more in 1 minute, 10 times or more in 5 minutes), it is determined that the behavior constitutes a brute-force attack. If there are successful login records, the hacker has successfully obtained server privileges.

[0126] Step 5.4: The following conditions are defined as having an extremely high threat level:

[0127] 5.1 If a server is detected to have failed 10 times, 100 times, and succeeded once within a unit of time, with a successful login record, and different source IP addresses or the same source IP address are detected, then the server is considered to have been successfully brute-force attacked. Security emergency response is required.

[0128] In the aforementioned device, the threat level module includes:

[0129] Step 5.1 The threshold is 10 times or more in 1 minute and 20 times or more in 5 minutes;

[0130] Step 5.2 The threshold is 5 times within 1 minute and 20 times within 5 minutes;

[0131] Step 5.3 The threshold is 3 times within 1 minute and 10 times within 5 minutes;

[0132] Step 5.4 The threshold is 5 times or more in 1 minute and 10 times or more in 5 minutes;

[0133] Step 5.5 The threshold is 1 time;

[0134] Step 5.6 Thresholds: 5 times or more in 1 minute, 10 times or more in 5 minutes.

[0135] In the above-mentioned device, the execution module includes the following steps:

[0136] Step 6.1: For low-level threats: blacklist the threats using the host's built-in SSHD module; Step 6.2: For medium-level threats: confirm the issue with the relevant system administrator via a support ticket or SMS, clarify whether the administrator is currently on a business trip, and simultaneously disable the attack source IP address and username information.

[0137] 6.3 For threats of a high level: if the system administrator's account password has been compromised, immediately disable the attack source IP address and login username using the built-in SSHD module, and immediately activate the security emergency response process;

[0138] 6.4 For threats classified as extremely high: It is preliminarily determined that the system password has been successfully cracked. Immediately disable the attack source IP address and login username using the built-in SSHD module, take the server offline, and immediately activate the security emergency response process.

[0139] This solution is currently being tested and used in our bank's test and experimental environments. It successfully detected 1023 low-risk events, blocked 109 foreign IP addresses, and blocked 50 based on threat intelligence scoring. It also successfully detected 2 medium-risk events, both occurring during a system administrator's business trip. No high-risk or extremely high-risk events were detected.

Claims

1. A method for SSH brute force defense through log analysis, characterized in that, Includes the following steps: Step 1: The server and cloud host obtain security logs and system logs from the monitoring devices through the monitoring log module and provide them to the perception module; Step 2: When an attacker attacks the server and cloud host through SSH brute-force attacks, the key log field information of the attacker is obtained through the log module monitoring. The key log field information includes the attack source IP address, username, and time. Step 3: The "perception module" records the attack source IP address, username, and time information in memory and performs statistics within the set time period. Step 4: Through third-party professional threat intelligence query, return the IP address attribution information and threat score of the attack source; Step 5: The log threat analysis module defines the danger level of brute-force threats based on the attack source IP address and threat score; Step 6: Based on the risk identification results from the threat analysis module, implement corresponding different handling measures. Step 5 includes the following steps: Step 5.1: If any of the conditions in 5.a-5.d apply, the threat level is defined as low. 5.a. Threat score below 60 points; 5.b. When the number of times the same IP fails to brute-force the server using different usernames and passwords within a unit of time exceeds a preset threshold, the IP is determined to have engaged in brute-force attack behavior. 5.c. When it is detected that the same IP address attempts to expose the server using the same username and different passwords, and the number of passwords used exceeds the preset threshold, it is determined that the IP address is engaging in brute-force attacks. 5.d. When different source IPs attempt to expose the server using different usernames and passwords, and the number of failed attempts exceeds the preset threshold, and the source IP address is determined to be a foreign IP address by threat intelligence, and the threat score exceeds 70 points, it is determined that the IP has engaged in brute-force attack behavior. Step 5.2: The threat level is defined as medium if the following conditions are met: 5.e. When a frequently used login IP address attempts to log in to the server and cloud host from an unused region, and the number of failed attempts exceeds a preset threshold, the behavior is deemed to constitute brute-force attack. Step 5.3: If any of the conditions 5.f-5.g apply, the threat level is defined as high. 5.f. If a frequently used login IP is detected to successfully log in to different servers in a non-frequently used region, and if the number of successful logins exceeds a preset threshold, it is determined that the behavior constitutes account hacking. 5.g. If a frequently used login IP is detected logging into different servers and unused server network segments during infrequent periods, and lateral connections are present, and the number of failed attempts exceeds a preset threshold, the behavior is considered a brute-force attack. If there are successful login records, the hacker has successfully gained server access. Step 5.4: The following conditions are defined as having an extremely high threat level:

5. h. If different source IP addresses or the same source IP address fail 10 times, 100 times, and succeed once within a unit of time, and there is a successful login record, then the server is determined to have been successfully brute-force attacked and security emergency measures need to be taken. Step 6 includes the following steps: Step 6.1: For threats with a low threat level: blacklist them using the host's built-in SSHD module; Step 6.2: For this threat being classified as intermediate: Confirm the issue with the relevant system administrator via work order or SMS, clarify whether the system administrator is currently on a business trip, and simultaneously disable the IP address and username information of the attack source. Step 6.3 For threats of a high level: It is preliminarily determined that the account password of the person in charge of the system has been leaked. Immediately disable the IP address and login username of the attack source through the built-in SSHD module, and immediately activate the security emergency procedure. Step 6.4 For threats of extremely high level: It is preliminarily determined that the system password has been successfully cracked. Immediately disable the attack source IP address and login username through the built-in SSHD module, take the server offline, and immediately activate the security emergency procedure.

2. The method for preventing SSH brute force cracking through log analysis according to claim 1, characterized in that: The time periods mentioned in step 3 are: within 1 minute, within 5 minutes, within 10 minutes, within 1 hour, and within 24 hours, respectively.

3. The method for preventing SSH brute force cracking through log analysis according to claim 1, characterized in that: In step 5: Step 5.1: The threshold is 10 times or more in 1 minute and 20 times or more in 5 minutes; Step 5.2: The threshold is 5 times within 1 minute and 20 times within 5 minutes; Step 5.3: The threshold is 3 times within 1 minute and 10 times within 5 minutes; Step 5.4: The threshold is 5 times or more in 1 minute and 10 times or more in 5 minutes.

4. An apparatus for implementing SSH brute force attack defense through log analysis, characterized in that, Includes the following steps: The monitoring log module, servers, and cloud hosts obtain security logs and system logs from the monitoring devices and provide them to the perception module. When attackers attempt to attack servers and cloud hosts via SSH brute-force attacks, the log module monitors and obtains key log fields from the attackers, including the attack source IP address, username, and time. The sensing module records the attack source IP address, username, and time information in memory, and performs statistics within a set time period. A third-party professional threat intelligence query module returns information on the IP address of the attack source and a threat score. The threat level module and log threat analysis module define the danger level of brute-force threats based on the attack source IP address and threat score; The execution module, based on the risk identification results from the threat analysis module, implements different corresponding response measures. The threat level module is implemented through the following steps: Step 5.1: If any of the conditions in 5.a-5.d apply, the threat level is defined as low. 5.a. Threat score below 60 points; 5.b. When the number of times the same IP fails to brute-force the server using different usernames and passwords within a unit of time exceeds a preset threshold, the IP is determined to have engaged in brute-force attack behavior. 5.c. When it is detected that the same IP address attempts to expose the server using the same username and different passwords, and the number of passwords used exceeds the preset threshold, it is determined that the IP address is engaging in brute-force attacks. 5.d. When different source IPs attempt to expose the server using different usernames and passwords, and the number of failed attempts exceeds the preset threshold, and the source IP address is determined to be a foreign IP address by threat intelligence, and the threat score exceeds 70 points, it is determined that the IP has engaged in brute-force attack behavior. Step 5.2: The threat level is defined as medium if the following conditions are met: 5.e. When a frequently used login IP address attempts to log in to the server and cloud host from an unused region, and the number of failed attempts exceeds a preset threshold, the behavior is deemed to constitute brute-force attack. Step 5.3: If any of the conditions 5.f-5.g apply, the threat level is defined as high. 5.f. If a frequently used login IP is detected to successfully log in to different servers in a non-frequently used region, and if the number of successful logins exceeds a preset threshold, it is determined that the behavior constitutes account hacking. 5.g. When a frequently used login IP is detected logging into different servers and unused server network segments during unused periods, and there are lateral connections, if the number of failed attempts exceeds a preset threshold, it is determined that the behavior constitutes a brute-force attack. If there are successful login records, the hacker has successfully obtained server privileges. Step 5.4: The following conditions are defined as having an extremely high threat level:

5. h. If different source IP addresses or the same source IP address fail 10 times, 100 times, and succeed once within a unit of time, and there is a successful login record, then the server is determined to have been successfully brute-force attacked and security emergency measures need to be taken. Execution module This includes the following steps: Step 6.1: For threats with a low threat level: blacklist them using the host's built-in SSHD module; Step 6.2: For this threat being classified as intermediate: Confirm the issue with the relevant system administrator via work order or SMS, clarify whether the system administrator is currently on a business trip, and simultaneously disable the IP address and username information of the attack source. Step 6.3 For threats of a high level: It is preliminarily determined that the account password of the person in charge of the system has been leaked. Immediately disable the IP address and login username of the attack source through the built-in SSHD module, and immediately activate the security emergency procedure. Step 6.4 For threats of extremely high level: It is preliminarily determined that the system password has been successfully cracked. Immediately disable the attack source IP address and login username through the built-in SSHD module, take the server offline, and immediately activate the security emergency procedure.

5. The device for preventing SSH brute force cracking through log analysis according to claim 4, characterized in that: The time periods described by the sensing module are: within 1 minute, within 5 minutes, within 10 minutes, within 1 hour, and within 24 hours, respectively.

6. The device for preventing SSH brute force cracking through log analysis according to claim 4, characterized in that: In the threat level module: Step 5.1: The threshold is 10 times or more in 1 minute and 20 times or more in 5 minutes; Step 5.2: The threshold is 5 times within 1 minute and 20 times within 5 minutes; Step 5.3: The threshold is 3 times within 1 minute and 10 times within 5 minutes; Step 5.4: The threshold is 5 times or more in 1 minute and 10 times or more in 5 minutes.