examine your attackers

key ok

This is interesting if you have a server on the internet that is accessible by SSH. Probably you noticed that from time to time you get attacked by SSH brute forcers, trying to get into your server by using some of the most common passwords.

Now there is a tool, badips.com, that can visualize these attacks. It’s very simple.

It works like this:

  1. You report the attackers to them
  2. They do all the visualizing stuff

I’ll describe my setup with fail2ban, which is also the simplest one.

First, if not already done so, install fail2ban:

apt-get install fail2ban

Second, replace the file /etc/fail2ban/actions.d/iptables-multiport.conf with the one you can copy&paste from http://www.badips.com/snippets.

Then, restart fail2ban.

From now on, all attackers that get banned by fail2ban are also reported to badips.com and the statistics show your attackers as well. But you want to see your attackers only, right?

Let’s proceed:

Third, go again to the  shell and type:

wget -q -O - http://www.badips.com/get/key

This should give an output like that:

{
  "err":"",
  "suc":"new key ea49a83bab4875db136bfb2c399a52ec5a6cf0f8 has been set.",
  "key":"ea49a83bab4875db136bfb2c399a52ec5a6cf0f8"
}

If not, it might be your fail2ban did not yet report any attackers. Try again as soon as it did.

But if you see an output similar to mine above, you got your own key now! With this key, you can personalize the statistics on badips.com:

Fourth, enter the key in the Key: field on the badips.com statistics page and hit return:

You should now see only a subset of IPs in the database, and these are the attackers that attacked you!

See mine as an example.

4 Comments

  1. Hey, thanks for featuring badips.com!

    I think that one important thing is missing here: you can use the same key for multiple servers!

    Learn how here: http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key

    R, Amy

  2. So, I’ve followed the instructions and placed the config from badips in my config, but I’ve had no luck, even though I’m getting emails that say I’ve banned IPs. Whenever I run the wget command, it returns nothing and kicks me back to the command prompt. Any idea of where to start tracking the issue down at?

  3. I experience the same error as Aaron. Any suggestins?

  4. mr51m0n

    04.03.2014 at 07:08

    Hi

    Apparently, Aaron’s problems could be solved here: http://www.badips.com/forum#!/questions#unable-to-attain-key-after

    Alternatively, try wget w/o the “-O -” part and look into the saved file to see what the error message is.

    — mr51m0n

Leave a Reply

Your email address will not be published.

*

© 2015 netmess

Theme by Anders NorenUp ↑