, 3 min read

Chinese Hackers

I am running fail2ban since November 2017 and all unsuccessful attempts to log-in to sshd are monitored. Breaking down these attempts according country shows that Chinese IP addresses are coming first here.

The numbers are:

27639    China
13589    United States
8641     France
3985     India
3418     Korea
3217     Brazil
2940     Canada
2419     Germany
2157     Russian Federation
1988     Indonesia

fail2ban_breakdown_country

The distribution of total attacks per month is as depicted below: ipBlockPerMonth

Getting total attacks per month is

sqlite3 -csv fail200117 "select strftime('%Y-%m',datetime(timeofban,'unixepoch','localtime')) year_month, count(*) from bans group by year_month order by year_month" > ipBlockPerMonth

File fail200117 is a copy of /var/lib/fail2ban/fail2ban.sqlite3. The numbers are:

2017-11,4
2017-12,1
2018-01,1
2018-03,4
2018-05,1
2018-06,1
2018-07,1
2018-08,67
2018-09,63
2018-10,84
2018-11,64
2018-12,841
2019-01,4661
2019-02,7611
2019-03,17664
2019-04,13785
2019-05,4507
2019-06,2194
2019-07,1411
2019-08,4442
2019-09,5831
2019-10,8460
2019-11,10635
2019-12,6539
2020-01,9821

Getting numbers grouped by country is as follows: Collect numbers including frequency in file ipCnt. Then run all distinct IP addresses through geoiplookup. Then use the paste command to merge the files together.

sqlite3 -csv fail200117 "select ip, count(*) from bans group by ip order by ip" > ipCnt
sqlite3 -csv fail200117 "select distinct ip from bans order by ip" | while read -r i; do geoiplookup $i; done > ipGeo
paste -d, ipCnt ipGeo > ipCntGeo

File ipCntGeo looks like this:

1.0.192.181,2,GeoIP Country Edition: TH, Thailand
1.0.241.132,2,GeoIP Country Edition: TH, Thailand
1.1.215.230,2,GeoIP Country Edition: TH, Thailand
1.10.214.216,2,GeoIP Country Edition: TH, Thailand
1.100.179.187,2,GeoIP Country Edition: KR, Korea, Republic of
1.100.182.91,2,GeoIP Country Edition: KR, Korea, Republic of
1.100.90.127,2,GeoIP Country Edition: KR, Korea, Republic of
1.101.49.57,2,GeoIP Country Edition: KR, Korea, Republic of
1.109.178.70,2,GeoIP Country Edition: KR, Korea, Republic of
1.109.198.160,2,GeoIP Country Edition: KR, Korea, Republic of

Now use simple Perl script to do the counting.

my (%H);
while (<>) {
        chomp;
        my @F = split(/,/);
        if ($F[2] =~ /IP Address not found/i) {
                $H{" not found"} += $F[1];
        } else {
                $H{$F[3]} += $F[1];
        }
}

foreach (keys %H) {
        printf("%d\t%s\n", $H{$_}, $_);
}

The entire list is as follows:

27639    China
13589    United States
8641     France
3985     India
3418     Korea
3217     Brazil
2940     Canada
2419     Germany
2157     Russian Federation
1988     Indonesia
1779     United Kingdom
1758     Vietnam
1748     Italy
1705     Singapore
1283     Netherlands
1099     Thailand
956      Greece
916      Colombia
914      Poland
904      Taiwan
845      Argentina
837      Mexico
797      Hong Kong
736      Spain
598      Japan
593      Ukraine
585     *not found
563      Malaysia
493      Egypt
388      Hungary
364      Chile
339      Turkey
335      South Africa
330      Australia
315      Philippines
310      Sweden
303      Belgium
277      Iran
239      Romania
232      Pakistan
226      Peru
221      Czech Republic
219      Bangladesh
213      Portugal
204      Paraguay
181      Bulgaria
169      Ecuador
168      Ireland
162      Austria
160      Kazakhstan
128      Venezuela
126      Bolivia
114      Dominican Republic
113      Switzerland
113      Slovakia
112      Nepal
108      Morocco
106      Norway
98       Nigeria
97       Israel
97       Denmark
94       Lithuania
93       United Arab Emirates
89       Kenya
88       Belarus
87       Tunisia
86       Latvia
86       Azerbaijan
84       Uganda
69       Serbia
67       Finland
65       Mauritius
64       Slovenia
63       Asia/Pacific Region
62       Cambodia
61       Senegal
60       Cameroon
59       Ethiopia
58       Uruguay
58       Sri Lanka
54       Zimbabwe
54       Uzbekistan
54       Algeria
53       Mongolia
51       Luxembourg
45       Croatia
44       Lao People's Democratic Republic
43       Armenia
42       Guatemala
41       Iraq
39       Botswana
38       Tanzania
38       Ghana
38       Europe
38       Barbados
37       Panama
34       Saudi Arabia
34       Palestinian Territory
32       Kyrgyzstan
30       New Zealand
29       Costa Rica
28       Macau
26       Qatar
24       Myanmar
24       Lebanon
23       New Caledonia
23       Moldova
23       Jordan
23       Cote D'Ivoire
19       Syrian Arab Republic
19       Albania
18       Malawi
17       Zambia
17       Kuwait
17       Georgia
17       Bosnia and Herzegovina
16       Sudan
16       Oman
16       Mozambique
16       Gabon
16       Bahamas
15       Estonia
14       Cayman Islands
14       Benin
13       Montenegro
12       Virgin Islands
12       Angola
11       Mali
11       Libya
11       Congo
10       Martinique
9        Saint Barthelemy
9        Reunion
9        Monaco
9        Haiti
9        El Salvador
8        Togo
8        Seychelles
8        Rwanda
8        Puerto Rico
8        Macedonia
8        Jamaica
8        Bahrain
7        Trinidad and Tobago
7        Madagascar
7        Grenada
7        Fiji
7        Brunei Darussalam
6        Suriname
6        Saint Kitts and Nevis
6        Niger
6        Iceland
6        Antigua and Barbuda
5        Yemen
5        Namibia
5        Djibouti
4        Nicaragua
4        Malta
4        Burkina Faso
3        Liberia
3        Jersey
3        Honduras
3        Dominica
3        Cyprus
3        Belize
3        Afghanistan
2        Tajikistan
2        Mauritania
2        Maldives
2        Lesotho
2        Guernsey
2        Guadeloupe
2        Curacao
2        Cape Verde
2        Burundi
2        Bhutan
1        Saint Lucia
1        Papua New Guinea
1        Isle of Man
1        Guyana
1        Cuba
1        Chad
1        Aruba
1        Andorra

Added 05-Mar-2024: I added a version for 2024: Chinese Hackers #2. TLDR: China is still number one.