As part of a recent experiment, I spun up a Linode instance to simulate SSH brute-force behavior against another Ubuntu machine where I had a Wazuh agent deployed. The goal was to test detection and response workflows in a controlled environment.
However, within hours of going live, my cloud-hosted Wazuh instance itself began receiving real-world brute-force attempts from a wide range of IPs globally — likely picked up by automated scanners probing public IPv4 space.
The table below shows a breakdown of 5,460 SSH-related events captured over the Easter bank holiday weekend (2025), categorised by country of origin using GeoLocation.country_name as the filter:
| Country | Hits |
|---|---|
| United States | 1,033 |
| Singapore | 956 |
| Vietnam | 787 |
| Iran | 679 |
| Hong Kong | 365 |
| United Kingdom | 352* See below |
| China | 351 |
| Russia | 283 |
| Thailand | 126 |
| Indonesia | 120 |
| Germany | 108 |
| South Korea | 101 |
| Sri Lanka | 88 |
| Romania | 72 |
| Kenya | 18 |
| India | 16 |
| Canada | 2 |
| Bulgaria | 1 |
| Unknown | 2 |
What It Tells us
US, Singapore, Vietnam, Iran dominate — could be scanning bots or compromised cloud IPs. Russia, China, and Hong Kong round out that classic "bad actor" group. UK traffic (352) is notable however 16 of these can be discounted due to me testing from my home IP, so the correct number of attempts is actually 336. Unknown (2) – possibly geolocation failures, or internal traffic without public IPs.
Further anaylsis of the results allowed me to filter on the top attempted usernames which strangely wasn't "root" as I had initially expected, instead the most popular username was "sysadmin", followed closely by "admin".
By default, SSH servers don’t log passwords for security reasons, so unless you set up something custom to capture them, that information won’t be available. For monitoring password attempts, Cowrie comes recommended as the most effective tool. It’s the modern successor to Kippo, offering a more realistic fake filesystem, better SSH emulation, and active maintenance to keep up with current attack methods. While T-Pot is another option, it’s more of an all-in-one honeypot platform designed to cover multiple protocols and attack surfaces—ideal for broader research.
Of course, all this information about SSH attacks from various countries should be taken with a pinch of salt. Just because an IP is geolocated to a certain region doesn’t mean that’s where the attacker is actually based. Threat actors often spin up virtual machines in different cloud regions or use compromised servers to relay traffic, making it easy to mask their real location.
Lets dig a bit deeper into the 352 instances of attacks noted as UK based IP ranges. As previously noted, 16 attempts were from my ip, so these can be discounted:
195.178.110.50 - 120 attempts - https://ipinfo.io/195.178.110.50
185.93.89.118 - 160 attempts - https://ipinfo.io/185.93.89.118
195.178.110.76 - 56 attempts - https://ipinfo.io/195.178.110.76
If you follow the ipinfo links for each, you'll note that the IP Geolocation is actually in the Netherlands and not the UK. IPinfo is showing 195.178.110.50 as geolocated to the Netherlands, but the AS/organization info shows: NetDesign Hostmaster, Based in London, UK. So even though the company is London-based, the infrastructure serving this IP might be hosted physically (or routed through) a Dutch data center. This is common with ISPs and hosting providers who operate across Europe.
So while geolocation provides some useful context, it’s far from definitive. However its still a worthwhile exercise, it can help paint a bigger picture: identifying patterns, spotting trends, and even flagging outliers. If you suddenly see a surge in SSH attempts from regions you rarely see, that alone can trigger deeper investigation. It’s all part of building situational awareness — and when combined with other telemetry like usernames, tools used, or timing, it can be used as a powerful layer in your detection strategy.
