- grepip: extract IP addresses from text.
- summarize: The command summarizes the IP addresses and provides output in text. It is different than the summary tool I mentioned.
- bulk: Bulk/batch enrich IP address. Output can be CSV or JSON.
If you need any help or want me to take a look at those IP addresses (or ASNs and organizations), please create a post on the IPinfo community. I can share the code and instructions with you.
I always wondered how the IPs like this 180.101.88.232 from this block:
ISP ChinaNet Jiangsu Province Network
Domain Name chinatelecom.com.cn
Continue to be the source of thousands of ssh password login attempts for years and years on end.
It's not a big deal, I use a tarpit on all ssh with 2FA on the one I use, but it seems ridiculous that some participants of the internet don't give a shit about the rest of the world.
Amusingly I recognize those IPs by that specific prefix as well, basically that entire /24 (at the very least) appears to be an absolutely massive source of the SSH login attempts.
It's not illegal to try to log in to an ssh server. Or many. Apart from that I think the map from the article is mostly matching the number of internet-connected devices per country/region. So I think you can replace "some" by "almost all" in your statement. I mean, find a vulnerable iot device, use it for scanning/botnet.
In what country? I suspect that given the intentions it would be a breach of the U.K. computer misuse act for example. Holding the perpetrator to the law is another matter of course.
Exactly. If I just nilly willy connect to your server, try a password and it works and I immediately disconnect, will that get me in trouble in the UK? That would be worrying.
The Theft Act 1968 defines theft as dishonest appropriation of “property belonging to another with the intention of permanently depriving the other of it” (and then waxes lyrical about what, exactly, that means: https://www.legislation.gov.uk/ukpga/1968/60/crossheading/de...). Just going by that law, I would say "it depends".
It is where I live. If I know your username and password, using those credentials knowing you didn't intend to share them would be a crime.
Of course, the probability of someone getting arrested for logging into your SSH server is as close to 0 as you can possibly get, but that doesn't make it legal.
Yes, I assumed it is an exit point of the great firewall or something like that, but they do so much packet inspection, they could easily block them. It's not like it's hard to see them.
The Great Firewall is about blocking Chinese citizens from accessing content the party doesn’t find palatable. Being a good neighbor to the rest of the world is out of scope for that project.
I run an N100 with LXD so I have a container running one of the many ssh tar pits and point 22 and a bunch other ports to it. It simulates an ssh login that very slowly sends ssh banner lines in the connection protocol, endlessly, until they disconnect.
It commonly thought that they do nothing, but they seem to keep TCP connections open for quite a long time. A assume a hand written scanning client could detect and mitigate the delay but it's going to hold open the sessions on the firewall exit on the other side. If there are enough of these maybe someone might do something.
Makes me smile when I look at the logs, that's enough for me.
Thanks. Yes, I have heard of such an approach, I did not know that it is called a tarpit. I just googled the idea and found Endlessh, I'll try it. Thank you.
It's been a couple decades since I adminned servers and firewalls. In my experience, in the early 2000's, Russian IPs were extremely common. I was surprised that OP didn't see even one. Can anyone conjecture on what might account for the apparent change?
These kinds of experiments get even more interesting when you also pipe the IPs into Shodan and find out that a lot of the malicious login attempts are coming from pwned DVRs and other devices.
> Upon closer inspection of Asia, we can notice a significant number of addresses located in South Kora, (and possibly North Korea?), as well as in Taiwan.
> I was surpised to see that the distribution of attacks is extremely uneven with most of it concentrated in parts of Asia, Europe, and the US, and (almost) none from South America, Middle East, and Russia.
Aside from the casual stereotyping of bad actors here, the article completely neglects the fact that just because the attack is sourced from a certain IP/geolocation doesn't mean that the attacker resides in that location.
What you most likely have is a listed of pwned PCs with fast internet connections being used in botnets.
Not seeing how this is stereotyping. He is just presenting his results. Whether those results stem from direct attacks or botnets? He doesn't even speculate.
When I ran public servers a few years ago, I saw similar results. Since the company had no customers in Asia, we IP-blocked the entire continent.
I found the information about the attackers’ quite interesting, because it also seems to disagree with Cloudflare data and my personal experience[1] which shows the US to be the largest originator of attacks.
I always install fail2ban on publicly exposed machines, especially if ssh is enabled. It won't block new malicious IPs but at least it will stop bruteforce attacks coming from each IP
Sure, but most people have had do the walk of shame to a local coffee shop when someone inevitably trips the ban on your own network.
A proper firewall port-knock set interleaved with 5 day ban tripwire port rules is effective at mitigating distributed brute-forcing. However, a ssh route whitelist rule set with SSL or iodine tunnel traffic priority is probably more important (when someone saturates the bandwidth trying to starve your session off the server).
Port knocking is one of those things that sound like a good idea, but there are many possible footguns. And why is it that there is no one consensus (or "blessed") implementation?
If your hobby firewall rule-set compiler is perl based than custom trigger rules are rather trivial.
For a random example, most of these ports will just bind to the default web-server (mitigates loopback attacks etc.):
2021 //tripwire 5 day ban, delay 30s
2022 //SSL tunnel for SSH port on VM, with client source-port range restriction.
2023 //tripwire 5 day ban
2024 //tripwire 5 day ban, delay 130s
2025 //tripwire 5 day ban
2026 //trigger 1: enable trigger 2 for specific IP, 5 second delay to open
2027 //tripwire 5 day ban
2028 //trigger 2: enable trigger 3 for specific IP, 4 second delay to open
2029 //tripwire 5 day ban, delay 19s
2030 //tripwire 5 day ban
2031 //trigger 3: close trigger 2, enable SSL tunnel port for specific IP in 1 second
2032 //tripwire 5 day ban
2033 //close all ports for this client IP, and reset trigger states in 1 second
2034 //tripwire 5 day ban
I think the lack of popularity comes from the ease of locking oneself out (initially manual starting a firewall during configuration without rule caching is wise), and lack of client-side automated handshaking scripts on non-*nix systems.
Someone should put together a little tutorial given many people seem to have lost this simple skill-set. Most people tend to ignore fail2ban integration options like banning game cheats.
Two of your three points don't apply to Moxie's and some other implementations, for example Singe Packet Authentication. You can have sufficient bits, and it doesn't have to be cleartext. Maybe it's technically not port knocking anymore, but it's the same idea.
And it's not about adding more bits to your authentication, it's about vulnerabilities that can be exploited without authentication, like the recent xz backdoor debacle. Port knocking would defend against that, longer keys would not.
This has all been pointed out to you in the thread you linked.
> Maybe it's technically not port knocking anymore, but it's the same idea.
At that point, it’s equivalent to a point-to-point VPN, which is the same as IPSec transport mode. Which is what you ought to be using instead of port knocking, if your threat model includes 0-day vulnerabilities in public-facing services like SSH.
Fun. You could also try putting the data into Google's data studio (now looker) to visualize them in an interactive map you can publish. Add things like size of dot corresponding to number of attempts, add reverse DNS/whois info to the info bubble, etc. Wonder how much came from residential vs business ip space.
I doubt most of these scans come from the attackers network. This is probably just a map of where the poorly secured CCTV cameras and IoT washing machines are.
I was surpriswed at the sharp concentration of addresses in the Netherlands. It looks as if it's a matter of national boundaries - thee's no concentration in Germany or Belgium.
That could be a couple of "relaxed" ISPs, I suppose. I doubt it's a question of different national legislation.
A few years ago I've built a more simple visualization similar to this one with the attacks on the host the application was already deployed: https://github.com/ludovicianul/geolog. China was mostly leading, but there were many from US and Europe.
It could be key spraying, maybe targeting a particular organization with distributed infrastructure for which the attacker already has some keys, but more likely groups blasting default keys (i.e. for some crappy IoT devices that included them in the firmware etc) for a nice & quick botnet.
Holy moly! That explains why I frequently get captcha when using residential internet in Jakarta. I don't see those captcha when accessing from e.g. Kuala Lumpur or Singapore.
Is the information in the article actionable? E.g. can I complain to someone with authority?
As others have pointed out, the location of the IP address does not necessarily correspond with the location of the attackers.
Specifically, in Germany, the central-ish culster of dots is in the Frankfurt area, which is also the location of DE-CIX, one of the world's largest internet exchange points, and of roughtly 1/3 of all datacenters in Germany.
So I think rather than comparing the IP locations with population density, it would be even more interesting to compare them with the location of internet infrastructure. This is of course correlated, and probably harder to find as an open dataset.
This was cool. The makings of an adhoc DIY cyber intelligence dashboard.
I guess the distribution could reflect places with lower income levels looking to get free compute? (for whatever purposes). A lot are coming out of places where relative cost of compute compared to income, may be too high, alternately there may not have access to accepted payment methods?
For the servers coming from the US and developed East Asia it could be already cyber companies doing scanning to find clients, or already compromised servers?
If you're lucky enough to have a big ISP with a single big block of IP addresses that never changes you can disallow all other ranges on your VPS admin ports and only have to worry about VPNing through that ISP.
I guess you could block the main country offenders but you'd have to pay an API to keep up with the IP allocations to be sure.
Another advantage of IPv6, if implemented well by the hosting provider (i.e. they assign you a /64 or larger), is that you can pick a random IP address from a pool of billions to host your SSH server on. There's a tiny chance of accidentally conflicting with another service if you're provisioning your addressing using SLAAC, but that chance is low enough that I'm willing to risk it. Scanning the entire IPv6 internet isn't very feasible for automated tools because of how large the IP space is.
This approach does require some client side hacking, though either in the form of SSH config, or in the form of a split horizon DNS so you can easily access your server, but that's no different from alternatives such as port knocking or simply altering the SSH port.
Or alternatively, block port 22 entirely on your firewall and use something like Tailscale to access the machine.
Of course, now your attack surface includes Tailscale, which has had it's own vulns in the past, but I think blocking all public traffic ends up being much stronger than any weaknesses Tailscale may introduce.
Isn't that just the same thing in different clothes? Just a different protocol offering the same features of authentication and encryption - often using exactly the same primitives?
Is it "Security through obscurity" assuming fewer people are attacking vpn protocols that than ssh? And I'm not sure that's even true
Introducing obscurity to the process doesn't make it insecure. Criticism of "security through obscurity" is that security shouldn't rely on obscurity. The system should remain secure even if the attacker knows every detail of your system. Here the point of the "obscurity" (if you can call it that) is to avoid blowing up your logs and wasting compute cycles and energy on attempts that will fail anyway.
Well, if you want to connect to your home LAN from your phone anywhere in the world you either need SSH or some VPN port opened either. Alternatively you can use some SaaS server where everything initiate the connection against the remote SaaS endpoint, but if you want to stay 100% local you need to open a port.
For ssh changing the port to something else usually takes out 99% of bots.
Using firewall rules on the hosts is like a fake firewall. Stuff on the hosts can override those rules. Like docker. After all, the host is actually receiving the traffic.
A router isn't a firewall. Lesson learnt: don't assume any "router" device is also a firewall. Last I heard about half of ISP issued routers don't run any kind of stateful firewall for IPv6. The only reason they do for IPv4 is NAT.
Mate. The shit that a retail ISP will send to the punters. Adjust your expectations sharply downward.
The reason this crap ends up in botnets is because it suits retail ISPs to have a common password for their own access. I've found that password on a forum and used it to get higher privileges than I had with my own login. And yeah, web management over the WAN was enabled by default.
Hey, a question: I also use ufw because I don't understand firewall rules properly. Is there a benefit for me, a desktop user who would like to set up a tiny home network and possibly setup an SSH server to connect from afar, to delve into iptables/nftables instead? I tried once, but couldn't understand how the rules work.
Also, if there is a ground-up explanation of firewall rules, their uses and misuses, and illustrative examples, I'd love if people could share.
I automate the hell out of packet capture, using the max ipinfo free tier each month... graph db... I cluster packets, organization dossier, and other collections of data as embeddings. Helps cut noise and identify anomalies faster.
I hope you are not being limited by our (IPinfo) free tier request limit in any way.
If you own a public website, you can take advantage of IPinfo's creditlink system and get up to 100K requests per month: https://ipinfo.io/contact/creditlink.
Also, our summary tool and map tool are free and do not require you to sign up. You can take advantage of them as well. They support up to 500k IP submissions.
Additionally, the free country ASN database provides unlimited requests, as it is just a database. Use the MMDB version of the database and the IPinfo CLI.
I understand you probably have a system in place, but please ping me if you need any assistance, especially with using our free IP database.
So this made me realise where I could find the SSH log file, and I spent a little while panicking at just how many attempts I've been getting on my webserver, and locking things down just a little harder out of paranoia
If you use a good password (meaning a unique, randomly generated one), or disable password login and use private keys only, your chances of getting hacked by any of these are abysmally small.
There are reasons to lock down your SSH port (fear of exploitation of the SSH software, like in the xz backdoor scenario) but I generally wouldn't worry too much about all the failed login attempts in your SSH log, as long as you're using secure enough login credentials.
People have been having this experience for ages. The first time you look at access/security logs for an internet-connected server, your jaw hits the floor, you get very curious about who all those bad people are, and you start worrying whether you're doing enough to keep them out.
I have been doing similar, albeit less complex analysis, of incoming malicious, and it's always surprising the amount of relentless attacks. Any good practices to maintain a secure online server?
No root login, no password login, public key only. This should make ~100% of ssh attacks futile. If you don't want to see many failed login attempts in your logs, listening on a completely random 5 digit port and has worked well for me. You can specify the port in ~/.ssh/config so you don't have to type it every time you log in.
Anyone who has run an SSH server on the default port knows that you’ll get hundreds or thousands of login attempts per day. Changing the port to something less obvious and running fail2ban is enough to mitigate most of it. They’re just looking for low hanging fruit.
Changing the default port - yeah, works wonders for reducing noise. But I don't understand why people run fail2ban. Nobody is going to be brute forcing a ssh login, all it does is add another moving part very close to a security boundary for very little gain.
Have you recently run a server? It takes a week-month before your ssh port is published on shodan/binaryedge/censys/criminalIP and other dodgy scanners.. and then you can expect constant attention, and yes.. 14691 attempted logins for every username possible (even though password login is turned off) from the same IP (usually a VPN, tor exit, or "crowdsourced VPN")
If I, living in a small EU country, wanted to "hack" my neighbour across the street, I sure as hell wouldn't use my home IP address, tied to my account at my ISP, which has my name and address.
I'd probably try to find an "IP" (VM, vpn, or whatever) in a country that's not really friendly about giving "ip address data" to our authorities.
On the other hand, I wouldn't use a chinese IP in china, if I lived there and wanted to hack my neighbour over there.
what, you would prefer it used chatGPT instead? every single article posted here is pretty much an ad. some are just less subtle. whether it was paid for ad or word of mouth, it's still adverstising
> How is it ok that if you use the internet, you, as a low trust society member, magically get access to a wealthier high trust society full of "suckers".
The internet is the greatest leveler. Don't hate the player, hate the game. If someone is a "low" trust society member and made a contribution to the entire network, we ALL benefit.
Also, isolating doesn't do shit because the big tech would like to monitor you solely for themselves (i.e. Tiktok).
Both of these services support sending IP addresses via an API endpoint and can handle up to 500k IP addresses. You can also share the report via URL.
reply