key ok

This is interesting if you have a server on the internet that is accessible by SSH. Probably you noticed that from time to time you get attacked by SSH brute forcers, trying to get into your server by using some of the most common passwords.

Now there is a tool, badips.com, that can visualize these attacks. It’s very simple.

It works like this:

  1. You report the attackers to them
  2. They do all the visualizing stuff

I’ll describe my setup with fail2ban, which is also the simplest one.

First, if not already done so, install fail2ban:

apt-get install fail2ban

Second, replace the file /etc/fail2ban/actions.d/iptables-multiport.conf with the one you can copy&paste from http://www.badips.com/snippets.

Then, restart fail2ban.

From now on, all attackers that get banned by fail2ban are also reported to badips.com and the statistics show your attackers as well. But you want to see your attackers only, right?

Let’s proceed:

Third, go again to the  shell and type:

wget -q -O - http://www.badips.com/get/key

This should give an output like that:

{
  "err":"",
  "suc":"new key ea49a83bab4875db136bfb2c399a52ec5a6cf0f8 has been set.",
  "key":"ea49a83bab4875db136bfb2c399a52ec5a6cf0f8"
}

If not, it might be your fail2ban did not yet report any attackers. Try again as soon as it did.

But if you see an output similar to mine above, you got your own key now! With this key, you can personalize the statistics on badips.com:

Fourth, enter the key in the Key: field on the badips.com statistics page and hit return:

You should now see only a subset of IPs in the database, and these are the attackers that attacked you!

See mine as an example.