Both of these services support sending IP addresses via an API endpoint and can handle up to 500k IP addresses. You can also share the report via URL.
I highly recommend the following commands:
- grepip: extract IP addresses from text.
- summarize: The command summarizes the IP addresses and provides output in text. It is different than the summary tool I mentioned.
- bulk: Bulk/batch enrich IP address. Output can be CSV or JSON.
ISP ChinaNet Jiangsu Province Network Domain Name chinatelecom.com.cn
Continue to be the source of thousands of ssh password login attempts for years and years on end.
It's not a big deal, I use a tarpit on all ssh with 2FA on the one I use, but it seems ridiculous that some participants of the internet don't give a shit about the rest of the world.
Previous HN discussion for brute.fail [2].
Amusingly I recognize those IPs by that specific prefix as well, basically that entire /24 (at the very least) appears to be an absolutely massive source of the SSH login attempts.
Small world, I guess
Basically the entire ASN, they let abusers run wild, and if you look at Cloudflare's stats there's more bot traffic than human traffic!
A lot of the bigger ASNs (unicom, china mobile, etc.) in China are the same, totally unresponsive to abuse reports
Of course, the probability of someone getting arrested for logging into your SSH server is as close to 0 as you can possibly get, but that doesn't make it legal.
> I use a tarpit on all ssh
It commonly thought that they do nothing, but they seem to keep TCP connections open for quite a long time. A assume a hand written scanning client could detect and mitigate the delay but it's going to hold open the sessions on the firewall exit on the other side. If there are enough of these maybe someone might do something.
Makes me smile when I look at the logs, that's enough for me.
It's been covered quite a bit here on HN.
Many companies that do not have business in countries known for their abundance of bad actors will block their IP ranges right away.
Nowadays hackers worth their salt will make use of botnets and VPNs located at more "friendly" countries.
> I was surpised to see that the distribution of attacks is extremely uneven with most of it concentrated in parts of Asia, Europe, and the US, and (almost) none from South America, Middle East, and Russia.
Aside from the casual stereotyping of bad actors here, the article completely neglects the fact that just because the attack is sourced from a certain IP/geolocation doesn't mean that the attacker resides in that location.
What you most likely have is a listed of pwned PCs with fast internet connections being used in botnets.
When I ran public servers a few years ago, I saw similar results. Since the company had no customers in Asia, we IP-blocked the entire continent.
A proper firewall port-knock set interleaved with 5 day ban tripwire port rules is effective at mitigating distributed brute-forcing. However, a ssh route whitelist rule set with SSL or iodine tunnel traffic priority is probably more important (when someone saturates the bandwidth trying to starve your session off the server).
Have a great day =)
The implementation by Moxie seems interesting, but needless to say that Python 2 is an instant no-go: https://github.com/moxie0/knockknock
It hasn't been updated in 12 years, so why is it that there seems almost no real interest in a solid port knocking implementation?
VPN, other server, mobile hotspot... No need to leave the house.
Are these because the bad guys are in there or just because of the population size?
China, India, US, and Indonesia are the top four of the most populous country and also 4 countries with most internet users.
Even the size of 10% of Indonesian internet users are almost the entire Taiwan population.
That could be a couple of "relaxed" ISPs, I suppose. I doubt it's a question of different national legislation.
Yes
2. Run botnet that tries all these keys on the entire Internet.
3. Profit!
*Flock because of the Cloud? What is the appropriate noun for many repos?
Is the information in the article actionable? E.g. can I complain to someone with authority?
Specifically, in Germany, the central-ish culster of dots is in the Frankfurt area, which is also the location of DE-CIX, one of the world's largest internet exchange points, and of roughtly 1/3 of all datacenters in Germany.
So I think rather than comparing the IP locations with population density, it would be even more interesting to compare them with the location of internet infrastructure. This is of course correlated, and probably harder to find as an open dataset.
I guess the distribution could reflect places with lower income levels looking to get free compute? (for whatever purposes). A lot are coming out of places where relative cost of compute compared to income, may be too high, alternately there may not have access to accepted payment methods?
For the servers coming from the US and developed East Asia it could be already cyber companies doing scanning to find clients, or already compromised servers?
I guess you could block the main country offenders but you'd have to pay an API to keep up with the IP allocations to be sure.
My prefix is dynamic, If it was static it would be more secure.
And also I have fail2ban for good measure.
This approach does require some client side hacking, though either in the form of SSH config, or in the form of a split horizon DNS so you can easily access your server, but that's no different from alternatives such as port knocking or simply altering the SSH port.
Of course, now your attack surface includes Tailscale, which has had it's own vulns in the past, but I think blocking all public traffic ends up being much stronger than any weaknesses Tailscale may introduce.
Is it "Security through obscurity" assuming fewer people are attacking vpn protocols that than ssh? And I'm not sure that's even true
Also, it's a bit tricky to set up but port knocking is a very effective solution, and you can keep the SSH on port 22 if you like.
ufw is the first thing I install, even on a "private" network and here's why.
I recently installed a router with IPv4 and IPV6. I later found out that IPv6 was globally addressed with no firewall.
Always run ufw and begin by shutting off everything to the internet, then only open up what you need.
For ssh changing the port to something else usually takes out 99% of bots.
When you arrive at the new location, call the API to open up the new address.
Here is the API on AWS https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_A...
Alternatively run a VPN or TailScale
Using firewall rules on the hosts is like a fake firewall. Stuff on the hosts can override those rules. Like docker. After all, the host is actually receiving the traffic.
A router isn't a firewall. Lesson learnt: don't assume any "router" device is also a firewall. Last I heard about half of ISP issued routers don't run any kind of stateful firewall for IPv6. The only reason they do for IPv4 is NAT.
the firewall is a kernel config. if configured properly no app can bypass
A router that includes a firewall is a firewall. In my case the firewall was broken.
Crazy! What brand router was this? I've never seen an IPv6 capable router configured to permit all traffic by default.
The reason this crap ends up in botnets is because it suits retail ISPs to have a common password for their own access. I've found that password on a forum and used it to get higher privileges than I had with my own login. And yeah, web management over the WAN was enabled by default.
Also, if there is a ground-up explanation of firewall rules, their uses and misuses, and illustrative examples, I'd love if people could share.
Here's a good cookbook-style guide on ufw https://www.digitalocean.com/community/tutorials/how-to-set-...
If you own a public website, you can take advantage of IPinfo's creditlink system and get up to 100K requests per month: https://ipinfo.io/contact/creditlink.
Also, our summary tool and map tool are free and do not require you to sign up. You can take advantage of them as well. They support up to 500k IP submissions.
Additionally, the free country ASN database provides unlimited requests, as it is just a database. Use the MMDB version of the database and the IPinfo CLI.
I understand you probably have a system in place, but please ping me if you need any assistance, especially with using our free IP database.
There are reasons to lock down your SSH port (fear of exploitation of the SSH software, like in the xz backdoor scenario) but I generally wouldn't worry too much about all the failed login attempts in your SSH log, as long as you're using secure enough login credentials.
It's essentially a manual firewall for when I disable ufw if it's being too aggressive:
[bauruine@tp:projects/misc]$ python check_ip_tor.py /tmp/malicious_ips.txt
Got a total of 6303 malicious IPs
Of which 15 are Tor relays
1607 TENCENT-NET-AP-CN
738 DIGITALOCEAN-ASN
483 KIXS-AS-KR
205 GOOGLE-CLOUD-PLATFORM
115 OVH...of the attacking IP address, not attacker...
If I, living in a small EU country, wanted to "hack" my neighbour across the street, I sure as hell wouldn't use my home IP address, tied to my account at my ISP, which has my name and address.
I'd probably try to find an "IP" (VM, vpn, or whatever) in a country that's not really friendly about giving "ip address data" to our authorities.
On the other hand, I wouldn't use a chinese IP in china, if I lived there and wanted to hack my neighbour over there.