, 3 min read
Chinese Hackers
I am running fail2ban since November 2017 and all unsuccessful attempts to log-in to sshd are monitored. Breaking down these attempts according country shows that Chinese IP addresses are coming first here.
The numbers are:
27639 China
13589 United States
8641 France
3985 India
3418 Korea
3217 Brazil
2940 Canada
2419 Germany
2157 Russian Federation
1988 Indonesia
The distribution of total attacks per month is as depicted below:
Getting total attacks per month is
sqlite3 -csv fail200117 "select strftime('%Y-%m',datetime(timeofban,'unixepoch','localtime')) year_month, count(*) from bans group by year_month order by year_month" > ipBlockPerMonth
File fail200117
is a copy of /var/lib/fail2ban/fail2ban.sqlite3
. The numbers are:
2017-11,4
2017-12,1
2018-01,1
2018-03,4
2018-05,1
2018-06,1
2018-07,1
2018-08,67
2018-09,63
2018-10,84
2018-11,64
2018-12,841
2019-01,4661
2019-02,7611
2019-03,17664
2019-04,13785
2019-05,4507
2019-06,2194
2019-07,1411
2019-08,4442
2019-09,5831
2019-10,8460
2019-11,10635
2019-12,6539
2020-01,9821
Getting numbers grouped by country is as follows: Collect numbers including frequency in file ipCnt
. Then run all distinct IP addresses through geoiplookup. Then use the paste command to merge the files together.
sqlite3 -csv fail200117 "select ip, count(*) from bans group by ip order by ip" > ipCnt
sqlite3 -csv fail200117 "select distinct ip from bans order by ip" | while read -r i; do geoiplookup $i; done > ipGeo
paste -d, ipCnt ipGeo > ipCntGeo
File ipCntGeo
looks like this:
1.0.192.181,2,GeoIP Country Edition: TH, Thailand
1.0.241.132,2,GeoIP Country Edition: TH, Thailand
1.1.215.230,2,GeoIP Country Edition: TH, Thailand
1.10.214.216,2,GeoIP Country Edition: TH, Thailand
1.100.179.187,2,GeoIP Country Edition: KR, Korea, Republic of
1.100.182.91,2,GeoIP Country Edition: KR, Korea, Republic of
1.100.90.127,2,GeoIP Country Edition: KR, Korea, Republic of
1.101.49.57,2,GeoIP Country Edition: KR, Korea, Republic of
1.109.178.70,2,GeoIP Country Edition: KR, Korea, Republic of
1.109.198.160,2,GeoIP Country Edition: KR, Korea, Republic of
Now use simple Perl script to do the counting.
my (%H);
while (<>) {
chomp;
my @F = split(/,/);
if ($F[2] =~ /IP Address not found/i) {
$H{" not found"} += $F[1];
} else {
$H{$F[3]} += $F[1];
}
}
foreach (keys %H) {
printf("%d\t%s\n", $H{$_}, $_);
}
The entire list is as follows:
27639 China
13589 United States
8641 France
3985 India
3418 Korea
3217 Brazil
2940 Canada
2419 Germany
2157 Russian Federation
1988 Indonesia
1779 United Kingdom
1758 Vietnam
1748 Italy
1705 Singapore
1283 Netherlands
1099 Thailand
956 Greece
916 Colombia
914 Poland
904 Taiwan
845 Argentina
837 Mexico
797 Hong Kong
736 Spain
598 Japan
593 Ukraine
585 *not found
563 Malaysia
493 Egypt
388 Hungary
364 Chile
339 Turkey
335 South Africa
330 Australia
315 Philippines
310 Sweden
303 Belgium
277 Iran
239 Romania
232 Pakistan
226 Peru
221 Czech Republic
219 Bangladesh
213 Portugal
204 Paraguay
181 Bulgaria
169 Ecuador
168 Ireland
162 Austria
160 Kazakhstan
128 Venezuela
126 Bolivia
114 Dominican Republic
113 Switzerland
113 Slovakia
112 Nepal
108 Morocco
106 Norway
98 Nigeria
97 Israel
97 Denmark
94 Lithuania
93 United Arab Emirates
89 Kenya
88 Belarus
87 Tunisia
86 Latvia
86 Azerbaijan
84 Uganda
69 Serbia
67 Finland
65 Mauritius
64 Slovenia
63 Asia/Pacific Region
62 Cambodia
61 Senegal
60 Cameroon
59 Ethiopia
58 Uruguay
58 Sri Lanka
54 Zimbabwe
54 Uzbekistan
54 Algeria
53 Mongolia
51 Luxembourg
45 Croatia
44 Lao People's Democratic Republic
43 Armenia
42 Guatemala
41 Iraq
39 Botswana
38 Tanzania
38 Ghana
38 Europe
38 Barbados
37 Panama
34 Saudi Arabia
34 Palestinian Territory
32 Kyrgyzstan
30 New Zealand
29 Costa Rica
28 Macau
26 Qatar
24 Myanmar
24 Lebanon
23 New Caledonia
23 Moldova
23 Jordan
23 Cote D'Ivoire
19 Syrian Arab Republic
19 Albania
18 Malawi
17 Zambia
17 Kuwait
17 Georgia
17 Bosnia and Herzegovina
16 Sudan
16 Oman
16 Mozambique
16 Gabon
16 Bahamas
15 Estonia
14 Cayman Islands
14 Benin
13 Montenegro
12 Virgin Islands
12 Angola
11 Mali
11 Libya
11 Congo
10 Martinique
9 Saint Barthelemy
9 Reunion
9 Monaco
9 Haiti
9 El Salvador
8 Togo
8 Seychelles
8 Rwanda
8 Puerto Rico
8 Macedonia
8 Jamaica
8 Bahrain
7 Trinidad and Tobago
7 Madagascar
7 Grenada
7 Fiji
7 Brunei Darussalam
6 Suriname
6 Saint Kitts and Nevis
6 Niger
6 Iceland
6 Antigua and Barbuda
5 Yemen
5 Namibia
5 Djibouti
4 Nicaragua
4 Malta
4 Burkina Faso
3 Liberia
3 Jersey
3 Honduras
3 Dominica
3 Cyprus
3 Belize
3 Afghanistan
2 Tajikistan
2 Mauritania
2 Maldives
2 Lesotho
2 Guernsey
2 Guadeloupe
2 Curacao
2 Cape Verde
2 Burundi
2 Bhutan
1 Saint Lucia
1 Papua New Guinea
1 Isle of Man
1 Guyana
1 Cuba
1 Chad
1 Aruba
1 Andorra
Added 05-Mar-2024: I added a version for 2024: Chinese Hackers #2. TLDR: China is still number one.