Original post is here: eklausmeier.goip.de
In the year 2020 in the blog post Chinese Hackers I noticed that China tries the most to hack my Linux machines. These attempts look like this:
1$ lastb
2a ssh:notty 209.97.163.130 Tue Mar 5 13:07 - 13:07 (00:00)
3sftpuser ssh:notty 93.123.39.2 Tue Mar 5 13:05 - 13:05 (00:00)
4sftpuser ssh:notty 93.123.39.2 Tue Mar 5 13:05 - 13:05 (00:00)
5hzp ssh:notty 43.156.241.167 Mon Mar 4 18:19 - 18:19 (00:00)
6hzp ssh:notty 43.156.241.167 Mon Mar 4 18:19 - 18:19 (00:00)
7root ssh:notty 8.219.249.208 Mon Mar 4 18:17 - 18:17 (00:00)
8mheydary ssh:notty 118.178.132.93 Mon Mar 4 12:35 - 12:35 (00:00)
9mheydary ssh:notty 118.178.132.93 Mon Mar 4 12:34 - 12:34 (00:00)
10ftp1user ssh:notty 143.255.140.241 Mon Mar 4 12:34 - 12:34 (00:00)
11ftp1user ssh:notty 143.255.140.241 Mon Mar 4 12:34 - 12:34 (00:00)
12panisa ssh:notty 139.224.200.60 Mon Mar 4 11:13 - 11:13 (00:00)
13panisa ssh:notty 139.224.200.60 Mon Mar 4 11:13 - 11:13 (00:00)
14sina ssh:notty 129.226.158.202 Mon Mar 4 10:45 - 10:45 (00:00)
15sina ssh:notty 129.226.158.202 Mon Mar 4 10:44 - 10:44 (00:00)
16hadoop ssh:notty 129.226.152.121 Mon Mar 4 10:43 - 10:43 (00:00)
In 2020 I used fail2ban. Since 2021 I use SSHGuard. It uses way less resources. See Analysis And Usage of SSHGuard.
I ran a quick analysis which country is the most aggressive penetrator.
1. Collecting IP addresses. SSHGuard filters the offending intruder via ipset.
1$ ipset list > i1
This collects all IP addresses.
Now I run these IP numbers through geoiplookup
:
1$ for i in `perl -ne 'print $1."\n" if /^(\d+\.\d+\.\d+\.\d+)\s+/' i1`; do geoiplookup $i >> i3; done
The resulting list looks like this:
1$ head i3
2GeoIP Country Edition: CN, China
3GeoIP Country Edition: HK, Hong Kong
4GeoIP Country Edition: US, United States
5GeoIP Country Edition: US, United States
6GeoIP Country Edition: KR, Korea, Republic of
7GeoIP Country Edition: PE, Peru
8GeoIP Country Edition: CA, Canada
9GeoIP Country Edition: CN, China
10GeoIP Country Edition: KR, Korea, Republic of
11GeoIP Country Edition: KE, Kenya
2. Sorting according frequency.
1cut -d: -f2 i3 | sort | uniq -c | sort -rn
The top 20 offenders are:
1 4228 CN, China
2 3175 US, United States
3 2142 SG, Singapore
4 1596 KR, Korea, Republic of
5 1042 DE, Germany
6 980 IN, India
7 755 HK, Hong Kong
8 661 BR, Brazil
9 566 RU, Russian Federation
10 522 VN, Vietnam
11 471 ID, Indonesia
12 453 JP, Japan
13 403 FR, France
14 396 NL, Netherlands
15 354 GB, United Kingdom
16 313 IR, Iran, Islamic Republic of
17 307 CA, Canada
18 279 TW, Taiwan
19 236 AU, Australia
20 173 TH, Thailand
Graphically this looks like this: