International SSH Brute Forcing

Posted by in Technology

Technology is a fascinating part of modern life, day-to-day we use it in various different ways from smartphones to credit/debit cards to kitchen gadgets, almost everything we do somehow involves tech in some fashion or another. One thing that is fundamental to a large proportion of developed countries is the Internet (as proven in my previous post!) We use the Internet for almost anything, and in some countries literally everything. The thing that fascinates me is the vast diversity of it, you can find pretty much anything on the Internet, this in my mind is something that should be cherished and celebrated, but as with anything good in life there are people out there trying to exploit it for many different reasons.

The Internet is essentially a collection of independent networks that join together in a mesh like fashion, this creates a redundant structure for information to freely flow from one place to another over different possible routes. Packets of traffic could for example flow from China to France at the speed of light carrying anything from the latest Beijing blockbusters to the finest Sweet & Sour chicken recipe. My example of traffic flowing from China to France is actually a link the theme of this blog, attacks! As mentioned earlier there are people out their trying to exploit the internet usually for monetary gain, this in itself isn’t fascinating really, just like people running illegal gambling is exploitation but not really very fascinating. What is fascinating however is the geographic diversity of where attacks originate, but also patterns of attacks. Being a tech-head I run a few servers for a few different purposes, one at home for media storage, a dedicated server for VPN access and another for web-hosting (where this blog is hosted). The first thing I do on newly setup servers is install a really well written piece of software called Fail2Ban, it’s purpose is to scan a server’s log files, discover and ban the originators of malicious attacks. If you’ve ever looked through server access logs you would understand why this is an important piece of software! On the two dedicated servers I run I have Fail2Ban┬ásetup with a small project I started plugged-in to it, enter Fail2Ban-Geo.

Fail2Ban-Geo is still in it’s early stages of development (when I find spare time) but works like a treat feeding my nerdy fascination with the world. The project is fairly simple, the idea is to plot where attackers that are banned from accessing a server from evidence of malicious attacks on a map, two examples are here and here. The first has been running for a couple of months or so and the second has been running since this morning. When an attacker is banned using Fail2Ban the project instance running on the server is contacted providing an ip address of the attacker, this ip is then cross-referenced against a geo-ip database and stored in a table. The location of the ip address is then added to the tally for attacks originating from the particular country in question and added to to the map as a pin. Two things can quickly be deduced from these maps, the first is attackers in China are hitting my server more than anybody else, the second is attacks can be seen daily, since starting Fail2Ban-Geo this morning I’ve seen 4 attacks from 4 different countries being blocked. Hacks seem to originate from literally anywhere in the world, I often find myself checking back to see which new countries have been added to the list. My plan is to make many improvements to the project before properly readying it for other people to use, it’s currently available on GitHub┬ábut I haven’t documented how to get it setup and running properly.

Watch this space for updates!