Tuesday, August 2, 2011

Fail2ban ssh root stats

My home server has been using fail2ban with the SSH root logging blocker. Being curious, I decide to extract some statistics to find out which country the logging attempts came from. I set up fail2ban to also send emails of blacklisting events. Using the following bash command:

# grep 'SSH: banned' /var/spool/mail/root | cut -d' ' -f5 | xargs --replace=xxx geoiplookup xxx | sort | uniq -c | sort -n

and here is the result:
1 GeoIP Country Edition: AE, United Arab Emirates
      1 GeoIP Country Edition: BE, Belgium
      1 GeoIP Country Edition: BH, Bahrain
      1 GeoIP Country Edition: DK, Denmark
      1 GeoIP Country Edition: GR, Greece
      1 GeoIP Country Edition: HU, Hungary
      1 GeoIP Country Edition: IR, Iran, Islamic Republic of
      1 GeoIP Country Edition: KW, Kuwait
      1 GeoIP Country Edition: KZ, Kazakhstan
      1 GeoIP Country Edition: LK, Sri Lanka
      1 GeoIP Country Edition: MN, Mongolia
      1 GeoIP Country Edition: PR, Puerto Rico
      1 GeoIP Country Edition: SN, Senegal
      1 GeoIP Country Edition: YE, Yemen
      2 GeoIP Country Edition: AR, Argentina
      2 GeoIP Country Edition: CR, Costa Rica
      2 GeoIP Country Edition: EC, Ecuador
      2 GeoIP Country Edition: LT, Lithuania
      2 GeoIP Country Edition: OM, Oman
      2 GeoIP Country Edition: PA, Panama
      2 GeoIP Country Edition: PH, Philippines
      2 GeoIP Country Edition: PT, Portugal
      3 GeoIP Country Edition: ID, Indonesia
      3 GeoIP Country Edition: NL, Netherlands
      4 GeoIP Country Edition: AU, Australia
      4 GeoIP Country Edition: BG, Bulgaria
      4 GeoIP Country Edition: CZ, Czech Republic
      4 GeoIP Country Edition: DE, Germany
      4 GeoIP Country Edition: MA, Morocco
      4 GeoIP Country Edition: PK, Pakistan
      4 GeoIP Country Edition: UA, Ukraine
      5 GeoIP Country Edition: CL, Chile
      5 GeoIP Country Edition: MX, Mexico
      5 GeoIP Country Edition: PL, Poland
      6 GeoIP Country Edition: CA, Canada
      8 GeoIP Country Edition: ES, Spain
      9 GeoIP Country Edition: BR, Brazil
      9 GeoIP Country Edition: HK, Hong Kong
      9 GeoIP Country Edition: JP, Japan
      9 GeoIP Country Edition: NZ, New Zealand
     10 GeoIP Country Edition: TW, Taiwan
     11 GeoIP Country Edition: GB, United Kingdom
     12 GeoIP Country Edition: TH, Thailand
     12 GeoIP Country Edition: TR, Turkey
     13 GeoIP Country Edition: RU, Russian Federation
     17 GeoIP Country Edition: IT, Italy
     18 GeoIP Country Edition: VN, Vietnam
     19 GeoIP Country Edition: CO, Colombia
     19 GeoIP Country Edition: EG, Egypt
     20 GeoIP Country Edition: FR, France
     38 GeoIP Country Edition: IN, India
     40 GeoIP Country Edition: KR, Korea, Republic of
     53 GeoIP Country Edition: US, United States
     72 GeoIP Country Edition: IP Address not found
     74 GeoIP Country Edition: PE, Peru
    211 GeoIP Country Edition: CN, China
It's no surprise who does the most break-in attempts. For me, the second one in the list is a bit surpising. Peru is either a haven for hackers or it has a lot of insecure computers that are the jumping points for other hackers in other countries. I don't know much about Peru.

No comments:

Post a Comment