Intro
It can be very time-consuming to report bad actors on the Internet. The results are unpredictable and I suppose in some cases the situation could be worsened. Out of general frustration, I’ve decided to publicly list the worst offenders.
The details
These are individual IPs or networks that have initiated egregious hacking attempts against my server over the past few years.
I can list them as follows:
$ netstat ‐rn|cut ‐c‐16|egrep ‐v ^'10\.|172|169'
Kernel IP routing table Destination Gateway Genmask 46.151.52.61 127.0.0.1 255.255.255.255 23.110.213.91 127.0.0.1 255.255.255.255 183.3.202.105 127.0.0.1 255.255.255.255 94.249.241.48 127.0.0.1 255.255.255.255 82.19.207.212 127.0.0.1 255.255.255.255 46.151.52.37 127.0.0.1 255.255.255.255 43.229.53.13 127.0.0.1 255.255.255.255 93.184.187.75 127.0.0.1 255.255.255.255 43.229.53.14 127.0.0.1 255.255.255.255 144.76.170.101 127.0.0.1 255.255.255.255 198.57.162.53 127.0.0.1 255.255.255.255 146.185.251.252 127.0.0.1 255.255.255.255 123.242.229.75 127.0.0.1 255.255.255.255 113.160.158.43 127.0.0.1 255.255.255.255 46.151.52.0 127.0.0.1 255.255.255.0 121.18.238.0 127.0.0.1 255.255.255.0 58.218.204.0 127.0.0.1 255.255.255.0 221.194.44.0 127.0.0.1 255.255.255.0 43.229.0.0 127.0.0.1 255.255.0.0 0.0.0.0 10.185.21.65 0.0.0.0 |
Added after the initial post
185.110.132.201/32
69.197.191.202/32 – 8/2016
119.249.54.0/24 – 10/2016
221.194.47.0/24 – 10/2016
79.141.162.0/23 – 10/2016
91.200.12.42 – 11/2016. WP login attempts
83.166.243.120 – 11/2016. WP login attempts
195.154.252.100 – 12/2016. WP login attemtps
195.154.252.0/23 – 12/2016. WP login attempts
91.200.12.155/24 – 12/2016. WP login attempts
185.110.132.202 – 12/2016. ssh attempts
163.172.0.0/16 – 12/2016. ssh attempts
197.88.63.63 – WP login attempts
192.151.151.34 – 4/2017. WP login attempts
193.201.224.223 – 4/2017. WP login attempts
192.187.98.42 – 4/2017. WP login attempts
192.151.159.2 – 5/2017. WP login attempts
192.187.98.43 – 6/2017. WP login attempts
The offense these IPs are guilty of is trying obsessively to log in to my server. Here is how I show login attempts:
$ cd /var/log; sudo last ‐f btmp|more
qwsazx ssh:notty 175.143.54.193 Tue Jul 12 15:23 gone - no logout qwsazx ssh:notty 175.143.54.193 Tue Jul 12 15:23 - 15:23 (00:00) pi ssh:notty 185.110.132.201 Tue Jul 12 14:57 - 15:23 (00:26) pi ssh:notty 185.110.132.201 Tue Jul 12 14:57 - 14:57 (00:00) ubnt ssh:notty 185.110.132.201 Tue Jul 12 14:18 - 14:57 (00:39) ubnt ssh:notty 185.110.132.201 Tue Jul 12 14:18 - 14:18 (00:00) brandon ssh:notty 175.143.54.193 Tue Jul 12 13:46 - 14:18 (00:31) brandon ssh:notty 175.143.54.193 Tue Jul 12 13:46 - 13:46 (00:00) ubnt ssh:notty 185.110.132.201 Tue Jul 12 13:41 - 13:46 (00:04) ubnt ssh:notty 185.110.132.201 Tue Jul 12 13:41 - 13:41 (00:00) root ssh:notty 185.110.132.201 Tue Jul 12 13:08 - 13:41 (00:33) PlcmSpIp ssh:notty 118.68.248.183 Tue Jul 12 13:03 - 13:08 (00:05) PlcmSpIp ssh:notty 118.68.248.183 Tue Jul 12 13:02 - 13:03 (00:00) support ssh:notty 118.68.248.183 Tue Jul 12 13:02 - 13:02 (00:00) support ssh:notty 118.68.248.183 Tue Jul 12 13:02 - 13:02 (00:00) glassfis ssh:notty 175.143.54.193 Tue Jul 12 12:59 - 13:02 (00:03) glassfis ssh:notty 175.143.54.193 Tue Jul 12 12:59 - 12:59 (00:00) support ssh:notty 185.110.132.201 Tue Jul 12 12:34 - 12:59 (00:24) support ssh:notty 185.110.132.201 Tue Jul 12 12:34 - 12:34 (00:00) amber ssh:notty 175.143.54.193 Tue Jul 12 12:10 - 12:34 (00:24) amber ssh:notty 175.143.54.193 Tue Jul 12 12:10 - 12:10 (00:00) admin ssh:notty 185.110.132.201 Tue Jul 12 12:00 - 12:10 (00:09) admin ssh:notty 185.110.132.201 Tue Jul 12 12:00 - 12:00 (00:00) steam1 ssh:notty 175.143.54.193 Tue Jul 12 11:29 - 12:00 (00:31) steam1 ssh:notty 175.143.54.193 Tue Jul 12 11:29 - 11:29 (00:00) robyn ssh:notty 175.143.54.193 Tue Jul 12 08:37 - 11:29 (02:52) robyn ssh:notty 175.143.54.193 Tue Jul 12 08:37 - 08:37 (00:00) postgres ssh:notty 209.92.176.23 Tue Jul 12 08:16 - 08:37 (00:20) postgres ssh:notty 209.92.176.23 Tue Jul 12 08:16 - 08:16 (00:00) root ssh:notty 209.92.176.23 Tue Jul 12 08:16 - 08:16 (00:00) a ssh:notty 209.92.176.23 Tue Jul 12 08:16 - 08:16 (00:00) a ssh:notty 209.92.176.23 Tue Jul 12 08:16 - 08:16 (00:00) plex ssh:notty 175.143.54.193 Tue Jul 12 07:51 - 08:16 (00:24) plex ssh:notty 175.143.54.193 Tue Jul 12 07:51 - 07:51 (00:00) root ssh:notty 40.76.25.178 Tue Jul 12 06:06 - 07:51 (01:45) pi ssh:notty 64.95.100.89 Tue Jul 12 05:49 - 06:06 (00:16) pi ssh:notty 64.95.100.89 Tue Jul 12 05:49 - 05:49 (00:00) ... |
The above is a sampling from today’s culprits. It’s a small, slow server so logins take a bit of time and brute force dictionary attacks are not going to succeed. But honestly, These IPs ought to be banned from the Internet for such flagrant abuse. I only add the ones to my route table which are multiply repeating offenders.
Here is the syntax on my server I use to add a network to this wall of shame:
$ sudo route add ‐net 221.194.44.0/24 gateway 127.0.0.1
So, yeah, I just send them to the loopback interface which prevents my servers from sending any packets to them. I could have used the Amazon AWS firewall but I find this more convenient – the command is always in my bash shell history.
A word about other approaches like fail2ban
Subject matter experts will point out the existence of tools, notably, fail2ban, which will handle excessive login attempts from a single IP. I already run fail2ban, which you can read about in this posting. The IPs above are generally those that somehow persisted and needed extraordinary measures in my opinion.
August 2017 update
I finally had to reboot my AWS instance after more than three years. I thought about my ssh usage pattern and decided it was really predictable: I either ssh from home or work, both of which have known IPs. And I’m simply tired of seeing all the hack attacks against my server. And I got better with the AWS console out of necessity.
Put it all together and you get a better way to deal with the ssh logins: simply block ssh (tcp port 22) with an AWS security group rule, except from my home and work.
References and related
My original defense began with an implementation of fail2ban. This is the write-up.