Chinese Hackers #2

· klm's blog

Who tries to hack into my Linux machines? China is still the number one.

Original post is here: eklausmeier.goip.de

In the year 2020 in the blog post Chinese Hackers I noticed that China tries the most to hack my Linux machines. These attempts look like this:

 1$ lastb
 2a        ssh:notty    209.97.163.130   Tue Mar  5 13:07 - 13:07  (00:00)
 3sftpuser ssh:notty    93.123.39.2      Tue Mar  5 13:05 - 13:05  (00:00)
 4sftpuser ssh:notty    93.123.39.2      Tue Mar  5 13:05 - 13:05  (00:00)
 5hzp      ssh:notty    43.156.241.167   Mon Mar  4 18:19 - 18:19  (00:00)
 6hzp      ssh:notty    43.156.241.167   Mon Mar  4 18:19 - 18:19  (00:00)
 7root     ssh:notty    8.219.249.208    Mon Mar  4 18:17 - 18:17  (00:00)
 8mheydary ssh:notty    118.178.132.93   Mon Mar  4 12:35 - 12:35  (00:00)
 9mheydary ssh:notty    118.178.132.93   Mon Mar  4 12:34 - 12:34  (00:00)
10ftp1user ssh:notty    143.255.140.241  Mon Mar  4 12:34 - 12:34  (00:00)
11ftp1user ssh:notty    143.255.140.241  Mon Mar  4 12:34 - 12:34  (00:00)
12panisa   ssh:notty    139.224.200.60   Mon Mar  4 11:13 - 11:13  (00:00)
13panisa   ssh:notty    139.224.200.60   Mon Mar  4 11:13 - 11:13  (00:00)
14sina     ssh:notty    129.226.158.202  Mon Mar  4 10:45 - 10:45  (00:00)
15sina     ssh:notty    129.226.158.202  Mon Mar  4 10:44 - 10:44  (00:00)
16hadoop   ssh:notty    129.226.152.121  Mon Mar  4 10:43 - 10:43  (00:00)

In 2020 I used fail2ban. Since 2021 I use SSHGuard. It uses way less resources. See Analysis And Usage of SSHGuard.

I ran a quick analysis which country is the most aggressive penetrator.

1. Collecting IP addresses. SSHGuard filters the offending intruder via ipset.

1$ ipset list > i1

This collects all IP addresses.

Now I run these IP numbers through geoiplookup:

1$ for i in `perl -ne 'print $1."\n" if /^(\d+\.\d+\.\d+\.\d+)\s+/' i1`; do geoiplookup $i >> i3; done

The resulting list looks like this:

 1$ head i3
 2GeoIP Country Edition: CN, China
 3GeoIP Country Edition: HK, Hong Kong
 4GeoIP Country Edition: US, United States
 5GeoIP Country Edition: US, United States
 6GeoIP Country Edition: KR, Korea, Republic of
 7GeoIP Country Edition: PE, Peru
 8GeoIP Country Edition: CA, Canada
 9GeoIP Country Edition: CN, China
10GeoIP Country Edition: KR, Korea, Republic of
11GeoIP Country Edition: KE, Kenya

2. Sorting according frequency.

1cut -d: -f2 i3 | sort | uniq -c | sort -rn

The top 20 offenders are:

 1   4228  CN, China
 2   3175  US, United States
 3   2142  SG, Singapore
 4   1596  KR, Korea, Republic of
 5   1042  DE, Germany
 6    980  IN, India
 7    755  HK, Hong Kong
 8    661  BR, Brazil
 9    566  RU, Russian Federation
10    522  VN, Vietnam
11    471  ID, Indonesia
12    453  JP, Japan
13    403  FR, France
14    396  NL, Netherlands
15    354  GB, United Kingdom
16    313  IR, Iran, Islamic Republic of
17    307  CA, Canada
18    279  TW, Taiwan
19    236  AU, Australia
20    173  TH, Thailand

Graphically this looks like this:

#China #sshd #SSHGuard #ipset