, 2 min read
Chinese Hackers #2
Original post is here eklausmeier.goip.de/blog/2024/03-05-chinese-hackers-p2.
In the year 2020 in the blog post Chinese Hackers I noticed that China tries the most to hack my Linux machines. These attempts look like this:
$ lastb
a ssh:notty 209.97.163.130 Tue Mar 5 13:07 - 13:07 (00:00)
sftpuser ssh:notty 93.123.39.2 Tue Mar 5 13:05 - 13:05 (00:00)
sftpuser ssh:notty 93.123.39.2 Tue Mar 5 13:05 - 13:05 (00:00)
hzp ssh:notty 43.156.241.167 Mon Mar 4 18:19 - 18:19 (00:00)
hzp ssh:notty 43.156.241.167 Mon Mar 4 18:19 - 18:19 (00:00)
root ssh:notty 8.219.249.208 Mon Mar 4 18:17 - 18:17 (00:00)
mheydary ssh:notty 118.178.132.93 Mon Mar 4 12:35 - 12:35 (00:00)
mheydary ssh:notty 118.178.132.93 Mon Mar 4 12:34 - 12:34 (00:00)
ftp1user ssh:notty 143.255.140.241 Mon Mar 4 12:34 - 12:34 (00:00)
ftp1user ssh:notty 143.255.140.241 Mon Mar 4 12:34 - 12:34 (00:00)
panisa ssh:notty 139.224.200.60 Mon Mar 4 11:13 - 11:13 (00:00)
panisa ssh:notty 139.224.200.60 Mon Mar 4 11:13 - 11:13 (00:00)
sina ssh:notty 129.226.158.202 Mon Mar 4 10:45 - 10:45 (00:00)
sina ssh:notty 129.226.158.202 Mon Mar 4 10:44 - 10:44 (00:00)
hadoop ssh:notty 129.226.152.121 Mon Mar 4 10:43 - 10:43 (00:00)
In 2020 I used fail2ban. Since 2021 I use SSHGuard. It uses way less resources. See Analysis And Usage of SSHGuard.
I ran a quick analysis which country is the most aggressive penetrator.
1. Collecting IP addresses. SSHGuard filters the offending intruder via ipset.
$ ipset list > i1
This collects all IP addresses.
Now I run these IP numbers through geoiplookup
:
$ for i in `perl -ne 'print $1."\n" if /^(\d+\.\d+\.\d+\.\d+)\s+/' i1`; do geoiplookup $i >> i3; done
The resulting list looks like this:
$ head i3
GeoIP Country Edition: CN, China
GeoIP Country Edition: HK, Hong Kong
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: KR, Korea, Republic of
GeoIP Country Edition: PE, Peru
GeoIP Country Edition: CA, Canada
GeoIP Country Edition: CN, China
GeoIP Country Edition: KR, Korea, Republic of
GeoIP Country Edition: KE, Kenya
2. Sorting according frequency.
cut -d: -f2 i3 | sort | uniq -c | sort -rn
The top 20 offenders are:
4228 CN, China
3175 US, United States
2142 SG, Singapore
1596 KR, Korea, Republic of
1042 DE, Germany
980 IN, India
755 HK, Hong Kong
661 BR, Brazil
566 RU, Russian Federation
522 VN, Vietnam
471 ID, Indonesia
453 JP, Japan
403 FR, France
396 NL, Netherlands
354 GB, United Kingdom
313 IR, Iran, Islamic Republic of
307 CA, Canada
279 TW, Taiwan
236 AU, Australia
173 TH, Thailand
Graphically this looks like this: