- grepip: extract IP addresses from text.
- summarize: The command summarizes the IP addresses and provides output in text. It is different than the summary tool I mentioned.
- bulk: Bulk/batch enrich IP address. Output can be CSV or JSON.
If you need any help or want me to take a look at those IP addresses (or ASNs and organizations), please create a post on the IPinfo community. I can share the code and instructions with you.
mianos 245 days ago [-]
I always wondered how the IPs like this 180.101.88.232 from this block:
ISP ChinaNet Jiangsu Province Network
Domain Name chinatelecom.com.cn
Continue to be the source of thousands of ssh password login attempts for years and years on end.
It's not a big deal, I use a tarpit on all ssh with 2FA on the one I use, but it seems ridiculous that some participants of the internet don't give a shit about the rest of the world.
ayewo 245 days ago [-]
That IP block (180.101.88.0/24) also makes a showing at the top of the stats [1] for https://brute.fail/
Amusingly I recognize those IPs by that specific prefix as well, basically that entire /24 (at the very least) appears to be an absolutely massive source of the SSH login attempts.
Small world, I guess
KomoD 244 days ago [-]
> basically that entire /24 (at the very least) appears to be an absolutely massive source of the SSH login attempts
Basically the entire ASN, they let abusers run wild, and if you look at Cloudflare's stats there's more bot traffic than human traffic!
A lot of the bigger ASNs (unicom, china mobile, etc.) in China are the same, totally unresponsive to abuse reports
iforgotpassword 245 days ago [-]
It's not illegal to try to log in to an ssh server. Or many. Apart from that I think the map from the article is mostly matching the number of internet-connected devices per country/region. So I think you can replace "some" by "almost all" in your statement. I mean, find a vulnerable iot device, use it for scanning/botnet.
chgs 245 days ago [-]
In what country? I suspect that given the intentions it would be a breach of the U.K. computer misuse act for example. Holding the perpetrator to the law is another matter of course.
iforgotpassword 244 days ago [-]
> given the intentions
Exactly. If I just nilly willy connect to your server, try a password and it works and I immediately disconnect, will that get me in trouble in the UK? That would be worrying.
chx 244 days ago [-]
1. mens rea probably applies
2. But if you make a stab at shoplifting and you are successful and give back the item, did you break the law?
I am not a lawyer I am just asking.
KomoD 244 days ago [-]
> But if you make a stab at shoplifting and you are successful and give back the item, did you break the law?
Well, yeah?
wizzwizz4 244 days ago [-]
The Theft Act 1968 defines theft as dishonest appropriation of “property belonging to another with the intention of permanently depriving the other of it” (and then waxes lyrical about what, exactly, that means: https://www.legislation.gov.uk/ukpga/1968/60/crossheading/de...). Just going by that law, I would say "it depends".
chgs 244 days ago [-]
Technically yes. You were trying to get unauthorised access to a server
But the law is never black and white. Programmers think the law is some code to run. It’s not.
jeroenhd 245 days ago [-]
It is where I live. If I know your username and password, using those credentials knowing you didn't intend to share them would be a crime.
Of course, the probability of someone getting arrested for logging into your SSH server is as close to 0 as you can possibly get, but that doesn't make it legal.
bongodongobob 244 days ago [-]
Yes it is, in the same way you can't just walk into someone's house if the door is unlocked. They might not press charges but they certainly could.
alephxyz 244 days ago [-]
You may want to familiarize yourself with the Computer Fraud and Abuse Act
wtfwhateven 243 days ago [-]
it is absolutely illegal
lithiumii 245 days ago [-]
If it's an ISP, maybe it's their crappy modems now part of a botnet.
userbinator 245 days ago [-]
Those probably belong to a CGNAT with many machines behind it.
mianos 245 days ago [-]
Yes, I assumed it is an exit point of the great firewall or something like that, but they do so much packet inspection, they could easily block them. It's not like it's hard to see them.
kube-system 245 days ago [-]
The Great Firewall is about blocking Chinese citizens from accessing content the party doesn’t find palatable. Being a good neighbor to the rest of the world is out of scope for that project.
dotancohen 245 days ago [-]
> I use a tarpit on all ssh
I would love to hear more about your approach, if that's not sensitive. My Gmail username is the same as my HN username if you prefer. Thank you!
mianos 245 days ago [-]
I run an N100 with LXD so I have a container running one of the many ssh tar pits and point 22 and a bunch other ports to it. It simulates an ssh login that very slowly sends ssh banner lines in the connection protocol, endlessly, until they disconnect.
It commonly thought that they do nothing, but they seem to keep TCP connections open for quite a long time. A assume a hand written scanning client could detect and mitigate the delay but it's going to hold open the sessions on the firewall exit on the other side. If there are enough of these maybe someone might do something.
Makes me smile when I look at the logs, that's enough for me.
It's been covered quite a bit here on HN.
dotancohen 245 days ago [-]
Thanks. Yes, I have heard of such an approach, I did not know that it is called a tarpit. I just googled the idea and found Endlessh, I'll try it. Thank you.
KomoD 244 days ago [-]
These tarpits have been around for a while now, do they even do anything anymore?
Or, it could mean there are a lot more devices in some places, and a lot of them may be vulnerable to becoming / are a part of botnets?
dools 245 days ago [-]
Some participants in the world don't give a shit about the rest of the world
chriscjcj 245 days ago [-]
It's been a couple decades since I adminned servers and firewalls. In my experience, in the early 2000's, Russian IPs were extremely common. I was surprised that OP didn't see even one. Can anyone conjecture on what might account for the apparent change?
johanbcn 245 days ago [-]
> Can anyone conjecture on what might account for the apparent change?
Many companies that do not have business in countries known for their abundance of bad actors will block their IP ranges right away.
Nowadays hackers worth their salt will make use of botnets and VPNs located at more "friendly" countries.
efnx 245 days ago [-]
The Russians are probably tunnelling through another connection or are steering a botnet.
channel_t 244 days ago [-]
These kinds of experiments get even more interesting when you also pipe the IPs into Shodan and find out that a lot of the malicious login attempts are coming from pwned DVRs and other devices.
dfex 245 days ago [-]
> Upon closer inspection of Asia, we can notice a significant number of addresses located in South Kora, (and possibly North Korea?), as well as in Taiwan.
> I was surpised to see that the distribution of attacks is extremely uneven with most of it concentrated in parts of Asia, Europe, and the US, and (almost) none from South America, Middle East, and Russia.
Aside from the casual stereotyping of bad actors here, the article completely neglects the fact that just because the attack is sourced from a certain IP/geolocation doesn't mean that the attacker resides in that location.
What you most likely have is a listed of pwned PCs with fast internet connections being used in botnets.
bradley13 245 days ago [-]
Not seeing how this is stereotyping. He is just presenting his results. Whether those results stem from direct attacks or botnets? He doesn't even speculate.
When I ran public servers a few years ago, I saw similar results. Since the company had no customers in Asia, we IP-blocked the entire continent.
out-of-ideas 245 days ago [-]
the distribution looks spot on for what it used to look back in late 2000's as well from my collection of memories (minus south america, russia)
eddd-ddde 244 days ago [-]
Being surprised that there were more attacks from X countries as opposed to Y countries implies an expectation that there would be the opposite.
supriyo-biswas 245 days ago [-]
I found the information about the attackers’ quite interesting, because it also seems to disagree with Cloudflare data and my personal experience[1] which shows the US to be the largest originator of attacks.
That’s perfectly consistent with sources of bad actor data I have access to and compile myself.
midnight_shaman 245 days ago [-]
I always install fail2ban on publicly exposed machines, especially if ssh is enabled. It won't block new malicious IPs but at least it will stop bruteforce attacks coming from each IP
Joel_Mckay 245 days ago [-]
Sure, but most people have had do the walk of shame to a local coffee shop when someone inevitably trips the ban on your own network.
A proper firewall port-knock set interleaved with 5 day ban tripwire port rules is effective at mitigating distributed brute-forcing. However, a ssh route whitelist rule set with SSL or iodine tunnel traffic priority is probably more important (when someone saturates the bandwidth trying to starve your session off the server).
Have a great day =)
mr_mitm 245 days ago [-]
Port knocking is one of those things that sound like a good idea, but there are many possible footguns. And why is it that there is no one consensus (or "blessed") implementation?
It hasn't been updated in 12 years, so why is it that there seems almost no real interest in a solid port knocking implementation?
Joel_Mckay 244 days ago [-]
If your hobby firewall rule-set compiler is perl based than custom trigger rules are rather trivial.
For a random example, most of these ports will just bind to the default web-server (mitigates loopback attacks etc.):
2021 //tripwire 5 day ban, delay 30s
2022 //SSL tunnel for SSH port on VM, with client source-port range restriction.
2023 //tripwire 5 day ban
2024 //tripwire 5 day ban, delay 130s
2025 //tripwire 5 day ban
2026 //trigger 1: enable trigger 2 for specific IP, 5 second delay to open
2027 //tripwire 5 day ban
2028 //trigger 2: enable trigger 3 for specific IP, 4 second delay to open
2029 //tripwire 5 day ban, delay 19s
2030 //tripwire 5 day ban
2031 //trigger 3: close trigger 2, enable SSL tunnel port for specific IP in 1 second
2032 //tripwire 5 day ban
2033 //close all ports for this client IP, and reset trigger states in 1 second
2034 //tripwire 5 day ban
I think the lack of popularity comes from the ease of locking oneself out (initially manual starting a firewall during configuration without rule caching is wise), and lack of client-side automated handshaking scripts on non-*nix systems.
Someone should put together a little tutorial given many people seem to have lost this simple skill-set. Most people tend to ignore fail2ban integration options like banning game cheats.
Two of your three points don't apply to Moxie's and some other implementations, for example Singe Packet Authentication. You can have sufficient bits, and it doesn't have to be cleartext. Maybe it's technically not port knocking anymore, but it's the same idea.
And it's not about adding more bits to your authentication, it's about vulnerabilities that can be exploited without authentication, like the recent xz backdoor debacle. Port knocking would defend against that, longer keys would not.
This has all been pointed out to you in the thread you linked.
teddyh 243 days ago [-]
> Maybe it's technically not port knocking anymore, but it's the same idea.
At that point, it’s equivalent to a point-to-point VPN, which is the same as IPSec transport mode. Which is what you ought to be using instead of port knocking, if your threat model includes 0-day vulnerabilities in public-facing services like SSH.
AndroTux 244 days ago [-]
> Sure, but most people have had do the walk of shame to a local coffee shop when someone inevitably trips the ban on your own network.
VPN, other server, mobile hotspot... No need to leave the house.
Joel_Mckay 244 days ago [-]
In theory, remember some firewall policies ban most Tor, Proxy and cloud providers. There is always a way. ;)
mcoliver 245 days ago [-]
Fun. You could also try putting the data into Google's data studio (now looker) to visualize them in an interactive map you can publish. Add things like size of dot corresponding to number of attempts, add reverse DNS/whois info to the info bubble, etc. Wonder how much came from residential vs business ip space.
If he published that, people will try and make the new leaderboard.
ies7 245 days ago [-]
> Interesting! We can see the most locations in India, Indonesia, and China as well as a significant number in the US and Europe.
Are these because the bad guys are in there or just because of the population size?
China, India, US, and Indonesia are the top four of the most populous country and also 4 countries with most internet users.
Even the size of 10% of Indonesian internet users are almost the entire Taiwan population.
Gigachad 245 days ago [-]
I doubt most of these scans come from the attackers network. This is probably just a map of where the poorly secured CCTV cameras and IoT washing machines are.
denton-scratch 244 days ago [-]
I was surpriswed at the sharp concentration of addresses in the Netherlands. It looks as if it's a matter of national boundaries - thee's no concentration in Germany or Belgium.
That could be a couple of "relaxed" ISPs, I suppose. I doubt it's a question of different national legislation.
tomschlick 245 days ago [-]
> Are these because the bad guys are in there or just because of the population size?
Yes
ludovicianul 245 days ago [-]
A few years ago I've built a more simple visualization similar to this one with the attacks on the host the application was already deployed: https://github.com/ludovicianul/geolog. China was mostly leading, but there were many from US and Europe.
micw 245 days ago [-]
"Failed publickey" - does this make sense? What is the chance to brute-force a private key that way?
It could be key spraying, maybe targeting a particular organization with distributed infrastructure for which the attacker already has some keys, but more likely groups blasting default keys (i.e. for some crappy IoT devices that included them in the firmware etc) for a nice & quick botnet.
iforgotpassword 245 days ago [-]
1. Scrape GitHub et al for accidentally committed private keys, maybe even get the appropriate username.
2. Run botnet that tries all these keys on the entire Internet.
3. Profit!
ykonstant 245 days ago [-]
Why is GitHub not(?) hosting a flock of repos* with fake private keys/username pairs to annoy/deter those people?
*Flock because of the Cloud? What is the appropriate noun for many repos?
micw 245 days ago [-]
Very good points in the comments, thank you a lot!
wiradikusuma 245 days ago [-]
Holy moly! That explains why I frequently get captcha when using residential internet in Jakarta. I don't see those captcha when accessing from e.g. Kuala Lumpur or Singapore.
Is the information in the article actionable? E.g. can I complain to someone with authority?
Moru 245 days ago [-]
No, it's just a map of all hacked IoT devices in the world, it's not where the actual hacker is.
brazzy 244 days ago [-]
As others have pointed out, the location of the IP address does not necessarily correspond with the location of the attackers.
Specifically, in Germany, the central-ish culster of dots is in the Frankfurt area, which is also the location of DE-CIX, one of the world's largest internet exchange points, and of roughtly 1/3 of all datacenters in Germany.
So I think rather than comparing the IP locations with population density, it would be even more interesting to compare them with the location of internet infrastructure. This is of course correlated, and probably harder to find as an open dataset.
keepamovin 245 days ago [-]
This was cool. The makings of an adhoc DIY cyber intelligence dashboard.
I guess the distribution could reflect places with lower income levels looking to get free compute? (for whatever purposes). A lot are coming out of places where relative cost of compute compared to income, may be too high, alternately there may not have access to accepted payment methods?
For the servers coming from the US and developed East Asia it could be already cyber companies doing scanning to find clients, or already compromised servers?
unraveller 245 days ago [-]
If you're lucky enough to have a big ISP with a single big block of IP addresses that never changes you can disallow all other ranges on your VPS admin ports and only have to worry about VPNing through that ISP.
I guess you could block the main country offenders but you'd have to pay an API to keep up with the IP allocations to be sure.
miyuru 245 days ago [-]
I just use IPv6 and only allow my ISPs single /32 block. Its neat that IPv6 has cleaned the mess of IPv4 having different IP blocks all over.
My prefix is dynamic, If it was static it would be more secure.
And also I have fail2ban for good measure.
jeroenhd 245 days ago [-]
Another advantage of IPv6, if implemented well by the hosting provider (i.e. they assign you a /64 or larger), is that you can pick a random IP address from a pool of billions to host your SSH server on. There's a tiny chance of accidentally conflicting with another service if you're provisioning your addressing using SLAAC, but that chance is low enough that I'm willing to risk it. Scanning the entire IPv6 internet isn't very feasible for automated tools because of how large the IP space is.
This approach does require some client side hacking, though either in the form of SSH config, or in the form of a split horizon DNS so you can easily access your server, but that's no different from alternatives such as port knocking or simply altering the SSH port.
abound 245 days ago [-]
Or alternatively, block port 22 entirely on your firewall and use something like Tailscale to access the machine.
Of course, now your attack surface includes Tailscale, which has had it's own vulns in the past, but I think blocking all public traffic ends up being much stronger than any weaknesses Tailscale may introduce.
kimixa 245 days ago [-]
Isn't that just the same thing in different clothes? Just a different protocol offering the same features of authentication and encryption - often using exactly the same primitives?
Is it "Security through obscurity" assuming fewer people are attacking vpn protocols that than ssh? And I'm not sure that's even true
Introducing obscurity to the process doesn't make it insecure. Criticism of "security through obscurity" is that security shouldn't rely on obscurity. The system should remain secure even if the attacker knows every detail of your system. Here the point of the "obscurity" (if you can call it that) is to avoid blowing up your logs and wasting compute cycles and energy on attempts that will fail anyway.
dotancohen 245 days ago [-]
It allow SSH on another port. There are considerations when deciding to allow SSH on unprivileged ports.
Also, it's a bit tricky to set up but port knocking is a very effective solution, and you can keep the SSH on port 22 if you like.
tonymet 245 days ago [-]
why is ssh open to the internet to begin with?
ufw is the first thing I install, even on a "private" network and here's why.
I recently installed a router with IPv4 and IPV6. I later found out that IPv6 was globally addressed with no firewall.
Always run ufw and begin by shutting off everything to the internet, then only open up what you need.
Msurrow 245 days ago [-]
Perhaps because the VPS is hosted somewhere remote and (s)he needs to ssh into it. Why ask questions in such an arrogant manner to begin with.
tonymet 244 days ago [-]
then restrict IPs to the administrative network rather than the entire internet.
darkwater 245 days ago [-]
Well, if you want to connect to your home LAN from your phone anywhere in the world you either need SSH or some VPN port opened either. Alternatively you can use some SaaS server where everything initiate the connection against the remote SaaS endpoint, but if you want to stay 100% local you need to open a port.
For ssh changing the port to something else usually takes out 99% of bots.
tonymet 244 days ago [-]
Most VPS systems have an API to manage security group/ firewall.
When you arrive at the new location, call the API to open up the new address.
Using firewall rules on the hosts is like a fake firewall. Stuff on the hosts can override those rules. Like docker. After all, the host is actually receiving the traffic.
A router isn't a firewall. Lesson learnt: don't assume any "router" device is also a firewall. Last I heard about half of ISP issued routers don't run any kind of stateful firewall for IPv6. The only reason they do for IPv4 is NAT.
tonymet 244 days ago [-]
linux firewall (ufw or iptables) is used to restrict the client IP address range. It's best to restrict access to a limited network range .
the firewall is a kernel config. if configured properly no app can bypass
A router that includes a firewall is a firewall. In my case the firewall was broken.
jeroenhd 245 days ago [-]
> I later found out that IPv6 was globally addressed with no firewall.
Crazy! What brand router was this? I've never seen an IPv6 capable router configured to permit all traffic by default.
tonymet 244 days ago [-]
MSI. Many router vendors have sloppy configuration . It's always good to double check.
BenjiWiebe 244 days ago [-]
Me neither, and I've even checked an old ISP-provided router.
psd1 242 days ago [-]
Mate. The shit that a retail ISP will send to the punters. Adjust your expectations sharply downward.
The reason this crap ends up in botnets is because it suits retail ISPs to have a common password for their own access. I've found that password on a forum and used it to get higher privileges than I had with my own login. And yeah, web management over the WAN was enabled by default.
ykonstant 245 days ago [-]
Hey, a question: I also use ufw because I don't understand firewall rules properly. Is there a benefit for me, a desktop user who would like to set up a tiny home network and possibly setup an SSH server to connect from afar, to delve into iptables/nftables instead? I tried once, but couldn't understand how the rules work.
Also, if there is a ground-up explanation of firewall rules, their uses and misuses, and illustrative examples, I'd love if people could share.
I automate the hell out of packet capture, using the max ipinfo free tier each month... graph db... I cluster packets, organization dossier, and other collections of data as embeddings. Helps cut noise and identify anomalies faster.
reincoder 244 days ago [-]
I hope you are not being limited by our (IPinfo) free tier request limit in any way.
If you own a public website, you can take advantage of IPinfo's creditlink system and get up to 100K requests per month: https://ipinfo.io/contact/creditlink.
Also, our summary tool and map tool are free and do not require you to sign up. You can take advantage of them as well. They support up to 500k IP submissions.
Additionally, the free country ASN database provides unlimited requests, as it is just a database. Use the MMDB version of the database and the IPinfo CLI.
I understand you probably have a system in place, but please ping me if you need any assistance, especially with using our free IP database.
voidUpdate 245 days ago [-]
So this made me realise where I could find the SSH log file, and I spent a little while panicking at just how many attempts I've been getting on my webserver, and locking things down just a little harder out of paranoia
jeroenhd 244 days ago [-]
If you use a good password (meaning a unique, randomly generated one), or disable password login and use private keys only, your chances of getting hacked by any of these are abysmally small.
There are reasons to lock down your SSH port (fear of exploitation of the SSH software, like in the xz backdoor scenario) but I generally wouldn't worry too much about all the failed login attempts in your SSH log, as long as you're using secure enough login credentials.
denton-scratch 244 days ago [-]
People have been having this experience for ages. The first time you look at access/security logs for an internet-connected server, your jaw hits the floor, you get very curious about who all those bad people are, and you start worrying whether you're doing enough to keep them out.
opentokix 245 days ago [-]
This is literally built in, in most modern logging systems with visualization.
tetris11 245 days ago [-]
I'd recommend grepping "(Failed|Invalid)" to capture more IPs
mtekman 245 days ago [-]
I use the same pattern for my iptables banner.
It's essentially a manual firewall for when I disable ufw if it's being too aggressive:
I have been doing similar, albeit less complex analysis, of incoming malicious, and it's always surprising the amount of relentless attacks. Any good practices to maintain a secure online server?
zaik 244 days ago [-]
No root login, no password login, public key only. This should make ~100% of ssh attacks futile. If you don't want to see many failed login attempts in your logs, listening on a completely random 5 digit port and has worked well for me. You can specify the port in ~/.ssh/config so you don't have to type it every time you log in.
mo_42 245 days ago [-]
It's not so hard to use Tor for that. I wonder how the Tor exit nodes are distributed across the globe and see how that correlates or not.
bauruine 245 days ago [-]
I don't have exactly what you want but you would be very disappointed by the result anyway. Tor isn't as nefarious as people tend to believe.
[bauruine@tp:projects/misc]$ python check_ip_tor.py /tmp/malicious_ips.txt
Got a total of 6303 malicious IPs
Of which 15 are Tor relays
Stats from my service: ~92% of fake / auto user registrations comes from tor exits. (Or would, without blocking)
JSDevOps 242 days ago [-]
Awesome content! Brilliant post. You could use maxmind and use the free files to get your data.
imp0cat 245 days ago [-]
Wouldn't it be better and faster to use a local geoip database for the IP lookup instead of doing a network call for each?
244 days ago [-]
wsintra2022 245 days ago [-]
Interesting, if it’s an issue you could try port knocking to prevent the constant attempts
IAmGraydon 245 days ago [-]
Anyone who has run an SSH server on the default port knows that you’ll get hundreds or thousands of login attempts per day. Changing the port to something less obvious and running fail2ban is enough to mitigate most of it. They’re just looking for low hanging fruit.
chx 244 days ago [-]
I just run sslh...
KomoD 244 days ago [-]
That looks pretty cool, I hadn't heard of it before, has it been reliable for you?
chx 244 days ago [-]
Very much, yes.
PhilipRoman 245 days ago [-]
Changing the default port - yeah, works wonders for reducing noise. But I don't understand why people run fail2ban. Nobody is going to be brute forcing a ssh login, all it does is add another moving part very close to a security boundary for very little gain.
tetris11 245 days ago [-]
Yes they do. I had a colleague who opened up his machine to another using the logon "remote" and let them set the password.
It was cracked the next day. It turns out having 12345678 is probably a bad password.
gnabgib 245 days ago [-]
Have you recently run a server? It takes a week-month before your ssh port is published on shodan/binaryedge/censys/criminalIP and other dodgy scanners.. and then you can expect constant attention, and yes.. 14691 attempted logins for every username possible (even though password login is turned off) from the same IP (usually a VPN, tor exit, or "crowdsourced VPN")
KomoD 245 days ago [-]
> Nobody is going to be brute forcing a ssh login
Uh what? Yes people do...
ajsnigrutin 245 days ago [-]
> Finding the location of each attacker.
...of the attacking IP address, not attacker...
If I, living in a small EU country, wanted to "hack" my neighbour across the street, I sure as hell wouldn't use my home IP address, tied to my account at my ISP, which has my name and address.
I'd probably try to find an "IP" (VM, vpn, or whatever) in a country that's not really friendly about giving "ip address data" to our authorities.
On the other hand, I wouldn't use a chinese IP in china, if I lived there and wanted to hack my neighbour over there.
alam2000 245 days ago [-]
[dead]
internetter 245 days ago [-]
[flagged]
dylan604 245 days ago [-]
what, you would prefer it used chatGPT instead? every single article posted here is pretty much an ad. some are just less subtle. whether it was paid for ad or word of mouth, it's still adverstising
internetter 245 days ago [-]
I just found the continuous reference to it distracting, as it was utterly irrelevant to the otherwise interesting article.
245 days ago [-]
ametrau 245 days ago [-]
[flagged]
dang 244 days ago [-]
You can't post like this here, and I've banned the account.
> How is it ok that if you use the internet, you, as a low trust society member, magically get access to a wealthier high trust society full of "suckers".
The internet is the greatest leveler. Don't hate the player, hate the game. If someone is a "low" trust society member and made a contribution to the entire network, we ALL benefit.
Also, isolating doesn't do shit because the big tech would like to monitor you solely for themselves (i.e. Tiktok).
Both of these services support sending IP addresses via an API endpoint and can handle up to 500k IP addresses. You can also share the report via URL.
I highly recommend the following commands:
If you need any help or want me to take a look at those IP addresses (or ASNs and organizations), please create a post on the IPinfo community. I can share the code and instructions with you.ISP ChinaNet Jiangsu Province Network Domain Name chinatelecom.com.cn
Continue to be the source of thousands of ssh password login attempts for years and years on end.
It's not a big deal, I use a tarpit on all ssh with 2FA on the one I use, but it seems ridiculous that some participants of the internet don't give a shit about the rest of the world.
Previous HN discussion for brute.fail [2].
1: https://brute.fail/top.txt
2: https://news.ycombinator.com/item?id=36169954
Amusingly I recognize those IPs by that specific prefix as well, basically that entire /24 (at the very least) appears to be an absolutely massive source of the SSH login attempts.
Small world, I guess
Basically the entire ASN, they let abusers run wild, and if you look at Cloudflare's stats there's more bot traffic than human traffic!
A lot of the bigger ASNs (unicom, china mobile, etc.) in China are the same, totally unresponsive to abuse reports
Exactly. If I just nilly willy connect to your server, try a password and it works and I immediately disconnect, will that get me in trouble in the UK? That would be worrying.
2. But if you make a stab at shoplifting and you are successful and give back the item, did you break the law?
I am not a lawyer I am just asking.
Well, yeah?
But the law is never black and white. Programmers think the law is some code to run. It’s not.
Of course, the probability of someone getting arrested for logging into your SSH server is as close to 0 as you can possibly get, but that doesn't make it legal.
It commonly thought that they do nothing, but they seem to keep TCP connections open for quite a long time. A assume a hand written scanning client could detect and mitigate the delay but it's going to hold open the sessions on the firewall exit on the other side. If there are enough of these maybe someone might do something.
Makes me smile when I look at the logs, that's enough for me.
It's been covered quite a bit here on HN.
Many companies that do not have business in countries known for their abundance of bad actors will block their IP ranges right away.
Nowadays hackers worth their salt will make use of botnets and VPNs located at more "friendly" countries.
> I was surpised to see that the distribution of attacks is extremely uneven with most of it concentrated in parts of Asia, Europe, and the US, and (almost) none from South America, Middle East, and Russia.
Aside from the casual stereotyping of bad actors here, the article completely neglects the fact that just because the attack is sourced from a certain IP/geolocation doesn't mean that the attacker resides in that location.
What you most likely have is a listed of pwned PCs with fast internet connections being used in botnets.
When I ran public servers a few years ago, I saw similar results. Since the company had no customers in Asia, we IP-blocked the entire continent.
[1] https://radar.cloudflare.com/
A proper firewall port-knock set interleaved with 5 day ban tripwire port rules is effective at mitigating distributed brute-forcing. However, a ssh route whitelist rule set with SSL or iodine tunnel traffic priority is probably more important (when someone saturates the bandwidth trying to starve your session off the server).
Have a great day =)
The implementation by Moxie seems interesting, but needless to say that Python 2 is an instant no-go: https://github.com/moxie0/knockknock
It hasn't been updated in 12 years, so why is it that there seems almost no real interest in a solid port knocking implementation?
For a random example, most of these ports will just bind to the default web-server (mitigates loopback attacks etc.):
2021 //tripwire 5 day ban, delay 30s
2022 //SSL tunnel for SSH port on VM, with client source-port range restriction.
2023 //tripwire 5 day ban
2024 //tripwire 5 day ban, delay 130s
2025 //tripwire 5 day ban
2026 //trigger 1: enable trigger 2 for specific IP, 5 second delay to open
2027 //tripwire 5 day ban
2028 //trigger 2: enable trigger 3 for specific IP, 4 second delay to open
2029 //tripwire 5 day ban, delay 19s
2030 //tripwire 5 day ban
2031 //trigger 3: close trigger 2, enable SSL tunnel port for specific IP in 1 second
2032 //tripwire 5 day ban
2033 //close all ports for this client IP, and reset trigger states in 1 second
2034 //tripwire 5 day ban
I think the lack of popularity comes from the ease of locking oneself out (initially manual starting a firewall during configuration without rule caching is wise), and lack of client-side automated handshaking scripts on non-*nix systems.
Someone should put together a little tutorial given many people seem to have lost this simple skill-set. Most people tend to ignore fail2ban integration options like banning game cheats.
Have a wonderful day, =)
And it's not about adding more bits to your authentication, it's about vulnerabilities that can be exploited without authentication, like the recent xz backdoor debacle. Port knocking would defend against that, longer keys would not.
This has all been pointed out to you in the thread you linked.
At that point, it’s equivalent to a point-to-point VPN, which is the same as IPSec transport mode. Which is what you ought to be using instead of port knocking, if your threat model includes 0-day vulnerabilities in public-facing services like SSH.
VPN, other server, mobile hotspot... No need to leave the house.
https://lookerstudio.google.com
Are these because the bad guys are in there or just because of the population size?
China, India, US, and Indonesia are the top four of the most populous country and also 4 countries with most internet users.
Even the size of 10% of Indonesian internet users are almost the entire Taiwan population.
That could be a couple of "relaxed" ISPs, I suppose. I doubt it's a question of different national legislation.
Yes
2. Run botnet that tries all these keys on the entire Internet.
3. Profit!
*Flock because of the Cloud? What is the appropriate noun for many repos?
Is the information in the article actionable? E.g. can I complain to someone with authority?
Specifically, in Germany, the central-ish culster of dots is in the Frankfurt area, which is also the location of DE-CIX, one of the world's largest internet exchange points, and of roughtly 1/3 of all datacenters in Germany.
So I think rather than comparing the IP locations with population density, it would be even more interesting to compare them with the location of internet infrastructure. This is of course correlated, and probably harder to find as an open dataset.
I guess the distribution could reflect places with lower income levels looking to get free compute? (for whatever purposes). A lot are coming out of places where relative cost of compute compared to income, may be too high, alternately there may not have access to accepted payment methods?
For the servers coming from the US and developed East Asia it could be already cyber companies doing scanning to find clients, or already compromised servers?
I guess you could block the main country offenders but you'd have to pay an API to keep up with the IP allocations to be sure.
My prefix is dynamic, If it was static it would be more secure.
And also I have fail2ban for good measure.
This approach does require some client side hacking, though either in the form of SSH config, or in the form of a split horizon DNS so you can easily access your server, but that's no different from alternatives such as port knocking or simply altering the SSH port.
Of course, now your attack surface includes Tailscale, which has had it's own vulns in the past, but I think blocking all public traffic ends up being much stronger than any weaknesses Tailscale may introduce.
Is it "Security through obscurity" assuming fewer people are attacking vpn protocols that than ssh? And I'm not sure that's even true
Also, it's a bit tricky to set up but port knocking is a very effective solution, and you can keep the SSH on port 22 if you like.
ufw is the first thing I install, even on a "private" network and here's why.
I recently installed a router with IPv4 and IPV6. I later found out that IPv6 was globally addressed with no firewall.
Always run ufw and begin by shutting off everything to the internet, then only open up what you need.
For ssh changing the port to something else usually takes out 99% of bots.
When you arrive at the new location, call the API to open up the new address.
Here is the API on AWS https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_A...
Alternatively run a VPN or TailScale
Using firewall rules on the hosts is like a fake firewall. Stuff on the hosts can override those rules. Like docker. After all, the host is actually receiving the traffic.
A router isn't a firewall. Lesson learnt: don't assume any "router" device is also a firewall. Last I heard about half of ISP issued routers don't run any kind of stateful firewall for IPv6. The only reason they do for IPv4 is NAT.
the firewall is a kernel config. if configured properly no app can bypass
A router that includes a firewall is a firewall. In my case the firewall was broken.
Crazy! What brand router was this? I've never seen an IPv6 capable router configured to permit all traffic by default.
The reason this crap ends up in botnets is because it suits retail ISPs to have a common password for their own access. I've found that password on a forum and used it to get higher privileges than I had with my own login. And yeah, web management over the WAN was enabled by default.
Also, if there is a ground-up explanation of firewall rules, their uses and misuses, and illustrative examples, I'd love if people could share.
Here's a good cookbook-style guide on ufw https://www.digitalocean.com/community/tutorials/how-to-set-...
If you own a public website, you can take advantage of IPinfo's creditlink system and get up to 100K requests per month: https://ipinfo.io/contact/creditlink.
Also, our summary tool and map tool are free and do not require you to sign up. You can take advantage of them as well. They support up to 500k IP submissions.
Additionally, the free country ASN database provides unlimited requests, as it is just a database. Use the MMDB version of the database and the IPinfo CLI.
I understand you probably have a system in place, but please ping me if you need any assistance, especially with using our free IP database.
There are reasons to lock down your SSH port (fear of exploitation of the SSH software, like in the xz backdoor scenario) but I generally wouldn't worry too much about all the failed login attempts in your SSH log, as long as you're using secure enough login credentials.
It's essentially a manual firewall for when I disable ufw if it's being too aggressive:
https://gitlab.com/mtekman/iptables-autobanner
It was cracked the next day. It turns out having 12345678 is probably a bad password.
Uh what? Yes people do...
...of the attacking IP address, not attacker...
If I, living in a small EU country, wanted to "hack" my neighbour across the street, I sure as hell wouldn't use my home IP address, tied to my account at my ISP, which has my name and address.
I'd probably try to find an "IP" (VM, vpn, or whatever) in a country that's not really friendly about giving "ip address data" to our authorities.
On the other hand, I wouldn't use a chinese IP in china, if I lived there and wanted to hack my neighbour over there.
Between this, https://news.ycombinator.com/item?id=40139695, and https://news.ycombinator.com/item?id=38834901, there's clearly a pattern of abusive behavior.
https://news.ycombinator.com/newsguidelines.html
The internet is the greatest leveler. Don't hate the player, hate the game. If someone is a "low" trust society member and made a contribution to the entire network, we ALL benefit.
Also, isolating doesn't do shit because the big tech would like to monitor you solely for themselves (i.e. Tiktok).