Country Ranking of Attempts to Gain Unauthorized Access via SSH

5 min

bashシェルスクリプトgnu-linuxpc自宅サーバーサーバー
language: ja bn en es hi pt ru zh-cn zh-tw

Hello, I'm Incompetent.
Last time was this
Which country is trying to gain unauthorized access to my server via SSH!

One-liner Aggregation

So, since I've set the ban period to one week, these are the results from that week.

fail2ban-client status sshd

I'll try to aggregate the IPs that appeared from this, after outputting them to standard output with echo, by using geoiplookup and so on.

echo "空白区切りのIP群" | sed "s/ /\n/g" | while read -r ip; do geoiplookup "$ip"; done | sort | uniq -c | sort -tr

And the undisputed number one is...

      1 GeoIP Country Edition: AE, United Arab Emirates
      1 GeoIP Country Edition: BE, Belgium
      1 GeoIP Country Edition: CH, Switzerland
      1 GeoIP Country Edition: CO, Colombia
      1 GeoIP Country Edition: JP, Japan
      1 GeoIP Country Edition: KH, Cambodia
      1 GeoIP Country Edition: MR, Mauritania
      1 GeoIP Country Edition: NO, Norway
      1 GeoIP Country Edition: PE, Peru
      1 GeoIP Country Edition: PL, Poland
      1 GeoIP Country Edition: RU, Russian Federation
      1 GeoIP Country Edition: SC, Seychelles
      1 GeoIP Country Edition: SE, Sweden
      2 GeoIP Country Edition: AT, Austria
      2 GeoIP Country Edition: ES, Spain
      2 GeoIP Country Edition: MX, Mexico
      2 GeoIP Country Edition: TH, Thailand
      2 GeoIP Country Edition: UZ, Uzbekistan
      2 GeoIP Country Edition: ZA, South Africa
      3 GeoIP Country Edition: ID, Indonesia
      3 GeoIP Country Edition: TR, Turkey
      4 GeoIP Country Edition: DE, Germany
      4 GeoIP Country Edition: RO, Romania
      5 GeoIP Country Edition: GB, United Kingdom
      6 GeoIP Country Edition: AU, Australia
      6 GeoIP Country Edition: BG, Bulgaria
      9 GeoIP Country Edition: CA, Canada
      9 GeoIP Country Edition: HK, Hong Kong
      9 GeoIP Country Edition: SG, Singapore
     10 GeoIP Country Edition: IN, India
     10 GeoIP Country Edition: NL, Netherlands
     11 GeoIP Country Edition: FR, France
     14 GeoIP Country Edition: CN, China
     23 GeoIP Country Edition: VN, Vietnam
     25 GeoIP Country Edition: US, United States
     39 GeoIP Country Edition: KR, Korea, Republic of

Korea, which I don't think was there before, is No. 1.
Vietnam is also quite high up.

SMTP and Dovecot are also targeted by Fail2Ban, but there's too little access.
Postfix

      1 GeoIP Country Edition: DE, Germany
      1 GeoIP Country Edition: ID, Indonesia
      1 GeoIP Country Edition: NL, Netherlands
      1 GeoIP Country Edition: TH, Thailand
      5 GeoIP Country Edition: US, United States

I wish Postfix would also attract some interest...

Why are there so many from Korea?

Increase in 'pro-Russia hacker' attacks on South Korea after North Korea dispatched troops
I found an article like this.
It's a structure where it's understandable to target pro-US South Korea, but the structure of attempts to SSH *from* South Korea is not very clear to me...
Perhaps IPs are being used as stepping stones from servers that have already been compromised.
Because it's a bit strange that the number of IPs trying to SSH in is greater than the scale of the large nation, the United States.

Even if this were North Korea, would GeoIP distinguish between South/North?

So, since I've changed the ban period for those trying to SSH from 1 week to 10 weeks, I should be able to aggregate data over a longer period again.

Related Posts