Analyze with Fail2ban
This article is a translation of the following my article:
Original: Fail2banした不正アクセスIPを分析する
* Translated automatically by Google.
* Please note that some links or referenced content in this article may be in Japanese.
* Comments in the code are basically in Japanese.
by bokumin
Analyze with Fail2ban
Introduction
Recently, there are many hackers trying to gain unauthorized access. It seems to be gaining more momentum than ever before, and even people like me who build servers as a hobby seem to be a target.
Even for SSH access, the SSH daemon performs authentication processing for each connection attempt, which consumes CPU resources for encryption processing, especially in the case of password authentication. For me, who is quite concerned about my electricity bill, these unauthorized accesses are a waste of resources and a security risk…
So, this time, I decided to find out from my server logs which country’s IP address the hackers are using for attacks, and I would like to share them with you.
I have summarized the IP addresses that were banned by Fail2ban’s SSH from mid-December of last year to the present (April).
*Since the IP addresses used for unauthorized access are often routed through VPNs, springboard servers, proxies, etc., please also consider that the attacker’s actual location may not be ◯◯, but rather that “the network resources in ◯◯ are heavily used”
Verification results
Number of unauthorized accesses by country
The number of accesses from Russia (RU) stands out at 9144, making up half of the top 10. This may be an organized attack or an attack using a botnet within Russia.
China (CN) follows with 3237, followed by the United States (US) with 2517 and India (IN) with 1003.
Number of unauthorized accesses by hour
On average, there are many accesses from Russia, but at the peak time of 1 o’clock, accesses from China (indigo area) surpassed Russia. Since the time difference between China and Japan is 1 hour, does it feel like scripts are automatically running at exactly 0:00? You can see that there is an increasing trend in America as well.
Heatmap
Russia is constantly attempting unauthorized access 24 hours a day, and attacks are carried out continuously without being concentrated at any particular time.
Next on China, we saw attempts to gain unauthorized access at 1:00 and 13:00 (00:00 and 12:00 for China). Unauthorized access from the United States shows a similar pattern, indicating that the same attackers may be using springboards in different countries.
Number of unauthorized accesses by month
Russia has always been high, while China has been on the decline from January to March. In other countries, attacks continue to occur at a constant rate, although the number of attacks varies from month to month.
This trend suggests that attacks from Russia are systematic and continuous, while attacks from other countries may be influenced by events and seasonality. Continued observation is required.
Identity/Relevance Analysis
We have grouped attacks that are believed to have been carried out by the same hacker based on the following conditions.
・Attack with IP address close to the time of the attack (within 5 minutes)
・Attack on the same subnet (/24)
・Attack with IP address close in number
⚠There are quite a few, so be careful when opening and closing
IP groups believed to be from the same attacker (only groups containing 10 or more IPs)
グループ 5 (163個のIP):
194.85.69.22 (RU)
188.187.62.248 (RU)
89.232.73.146 (RU)
80.64.30.77 (RU)
92.126.223.175 (RU)
185.46.18.99 (RU)
95.174.104.112 (RU)
77.82.90.210 (RU)
46.188.119.26 (RU)
81.211.72.167 (RU)
195.239.97.254 (RU)
88.147.148.51 (RU)
195.19.102.197 (RU)
185.147.124.53 (RU)
109.167.197.20 (RU)
92.255.85.107 (RU)
85.209.9.59 (RU)
176.62.82.235 (RU)
178.178.194.135 (RU)
95.79.108.51 (RU)
176.108.145.7 (RU)
185.60.45.240 (RU)
91.244.113.178 (RU)
217.115.87.186 (RU)
95.167.225.76 (RU)
188.168.12.14 (RU)
83.220.172.94 (RU)
78.36.203.8 (RU)
185.147.124.49 (RU)
95.84.148.71 (RU)
77.37.226.228 (RU)
62.183.82.70 (RU)
91.235.247.80 (RU)
91.135.156.170 (RU)
185.42.12.240 (RU)
82.200.65.218 (RU)
185.42.12.141 (RU)
185.147.124.182 (RU)
95.188.91.101 (RU)
92.242.51.118 (RU)
46.28.95.178 (RU)
185.7.214.37 (RU)
95.165.146.62 (RU)
79.132.125.226 (RU)
89.109.4.133 (RU)
95.31.6.109 (RU)
188.255.34.171 (RU)
109.167.200.10 (RU)
109.225.40.22 (RU)
194.113.106.174 (RU)
213.33.204.130 (RU)
5.228.51.213 (RU)
188.254.50.180 (RU)
194.190.153.226 (RU)
87.248.226.146 (RU)
77.105.181.82 (RU)
83.171.89.209 (RU)
89.111.174.44 (RU)
62.192.226.83 (RU)
5.35.125.207 (RU)
178.216.165.187 (RU)
78.36.41.213 (RU)
95.181.86.2 (RU)
185.7.214.240 (RU)
178.178.194.137 (RU)
188.243.152.71 (RU)
89.179.78.247 (RU)
178.178.222.52 (RU)
77.222.32.51 (RU)
91.144.158.231 (RU)
87.225.106.84 (RU)
80.64.30.229 (RU)
185.228.135.173 (RU)
78.132.136.195 (RU)
95.163.228.78 (RU)
86.102.114.36 (RU)
92.255.196.185 (RU)
95.165.65.191 (RU)
109.195.69.156 (RU)
46.31.24.137 (RU)
92.255.85.253 (RU)
5.35.10.189 (RU)
144.206.148.111 (RU)
195.19.97.203 (RU)
5.188.139.78 (RU)
92.255.85.188 (RU)
193.169.28.244 (RU)
85.172.189.189 (RU)
195.218.159.123 (RU)
77.37.174.248 (RU)
109.172.6.23 (RU)
86.102.131.54 (RU)
95.165.26.166 (RU)
5.141.122.210 (RU)
81.13.62.77 (RU)
151.252.84.225 (RU)
109.126.34.84 (RU)
147.45.147.26 (RU)
81.22.51.64 (RU)
92.255.85.37 (RU)
84.22.147.211 (RU)
37.18.38.193 (RU)
5.228.11.207 (RU)
154.205.128.155 (RU)
85.30.248.213 (RU)
94.41.189.177 (RU)
95.141.228.9 (RU)
91.221.7.13 (RU)
217.65.82.98 (RU)
192.166.123.50 (RU)
81.161.18.143 (RU)
79.111.0.58 (RU)
89.179.119.222 (RU)
178.251.140.3 (RU)
45.132.16.59 (RU)
62.76.95.152 (RU)
176.226.180.65 (RU)
5.228.92.193 (RU)
178.35.155.182 (RU)
87.251.102.94 (RU)
92.255.195.59 (RU)
45.89.65.76 (RU)
46.151.242.210 (RU)
178.176.250.39 (RU)
37.208.97.2 (RU)
195.19.4.22 (RU)
178.217.72.50 (RU)
92.255.85.189 (RU)
178.252.214.17 (RU)
188.17.148.221 (RU)
85.12.240.14 (RU)
31.180.219.132 (RU)
91.239.19.66 (RU)
194.113.236.217 (RU)
46.188.19.71 (RU)
85.237.57.200 (RU)
88.205.172.170 (RU)
89.207.218.10 (RU)
176.196.236.146 (RU)
213.135.122.122 (RU)
46.191.141.152 (RU)
103.88.243.115 (RU)
5.16.21.118 (RU)
195.80.50.253 (RU)
46.148.229.196 (RU)
91.241.150.246 (RU)
188.32.247.157 (RU)
178.178.194.131 (RU)
217.24.185.98 (RU)
89.175.253.49 (RU)
176.109.92.170 (RU)
178.140.162.227 (RU)
88.206.18.235 (RU)
93.120.240.202 (RU)
46.0.192.86 (RU)
185.147.124.54 (RU)
91.185.40.201 (RU)
212.192.42.211 (RU)
83.239.84.130 (RU)
84.52.89.218 (RU)
195.190.104.66 (RU)
79.133.182.161 (RU)
62.122.195.14 (RU)
グループ 10 (194個のIP):
164.92.111.101 (US)
165.140.237.71 (US)
96.78.175.36 (US)
40.117.97.0 (US)
172.245.174.218 (US)
104.28.201.73 (US)
167.71.166.71 (US)
208.109.39.41 (US)
194.1.184.72 (US)
69.49.247.178 (US)
45.205.24.43 (US)
143.198.16.19 (US)
66.249.79.206 (US)
24.199.127.247 (US)
66.249.66.70 (US)
146.190.60.168 (US)
104.28.233.73 (US)
34.172.117.17 (US)
154.84.61.60 (US)
162.240.163.124 (US)
143.198.59.77 (US)
172.174.72.225 (US)
172.245.177.158 (US)
198.12.107.228 (US)
134.209.120.69 (US)
104.131.14.208 (US)
138.68.51.111 (US)
173.242.114.250 (US)
68.183.20.84 (US)
192.227.211.119 (US)
162.248.101.215 (US)
50.193.220.21 (US)
147.182.191.145 (US)
162.241.131.0 (US)
206.217.133.9 (US)
143.110.205.196 (US)
164.90.131.79 (US)
165.232.147.130 (US)
159.223.175.161 (US)
162.243.168.76 (US)
147.182.194.88 (US)
5.78.50.91 (US)
76.98.54.17 (US)
74.94.234.151 (US)
68.178.201.150 (US)
209.141.52.5 (US)
172.232.20.252 (US)
66.249.65.225 (US)
50.24.152.80 (US)
199.195.248.117 (US)
208.69.84.112 (US)
162.240.228.182 (US)
64.23.174.237 (US)
192.210.228.228 (US)
34.41.17.26 (US)
143.198.110.135 (US)
172.190.89.127 (US)
64.23.146.38 (US)
129.213.226.156 (US)
107.0.200.227 (US)
20.127.224.153 (US)
107.174.34.23 (US)
143.198.104.241 (US)
66.249.69.32 (US)
143.244.150.76 (US)
104.168.46.10 (US)
137.184.190.239 (US)
107.172.46.10 (US)
206.189.229.70 (US)
162.241.234.168 (US)
167.172.142.253 (US)
192.81.211.213 (US)
172.245.42.201 (US)
20.127.244.32 (US)
209.141.55.77 (US)
96.45.190.212 (US)
85.209.134.43 (US)
72.240.121.31 (US)
64.227.11.229 (US)
52.247.71.137 (US)
184.168.22.179 (US)
45.194.37.246 (US)
159.65.233.105 (US)
24.143.127.69 (US)
98.40.228.65 (US)
24.53.160.28 (US)
64.23.140.11 (US)
66.249.66.88 (US)
66.249.79.161 (US)
66.249.66.89 (US)
66.249.69.33 (US)
192.227.248.232 (US)
137.184.8.144 (US)
99.137.178.24 (US)
104.28.254.47 (US)
156.232.10.11 (US)
45.61.187.220 (US)
107.175.197.29 (US)
198.46.207.98 (US)
137.184.97.255 (US)
107.173.10.97 (US)
107.13.145.118 (US)
159.223.195.48 (US)
35.237.94.18 (US)
64.23.185.5 (US)
134.209.118.42 (US)
157.230.95.209 (US)
158.51.126.147 (US)
206.189.187.71 (US)
192.227.134.11 (US)
208.109.188.104 (US)
70.169.19.43 (US)
66.249.66.86 (US)
147.182.251.7 (US)
162.144.119.105 (US)
206.217.131.233 (US)
66.249.79.173 (US)
104.28.163.98 (US)
104.248.120.37 (US)
148.72.152.48 (US)
137.184.184.65 (US)
107.175.32.28 (US)
154.84.61.29 (US)
73.135.119.72 (US)
167.71.106.220 (US)
142.93.11.237 (US)
97.64.23.231 (US)
198.12.77.137 (US)
207.231.111.207 (US)
146.190.50.226 (US)
205.185.113.189 (US)
212.227.232.57 (US)
104.28.157.112 (US)
66.249.71.96 (US)
192.227.237.33 (US)
66.249.79.160 (US)
107.181.179.235 (US)
76.72.14.152 (US)
52.224.71.115 (US)
66.249.65.237 (US)
64.23.131.62 (US)
104.248.1.17 (US)
80.251.219.209 (US)
66.249.66.87 (US)
162.240.69.202 (US)
104.28.163.39 (US)
164.90.148.149 (US)
143.244.178.70 (US)
137.184.202.107 (US)
107.175.33.240 (US)
64.23.166.230 (US)
64.225.55.168 (US)
134.209.119.98 (US)
174.174.123.32 (US)
137.184.116.223 (US)
159.65.251.148 (US)
20.228.36.210 (US)
34.66.178.44 (US)
137.184.229.29 (US)
152.32.148.82 (US)
34.66.72.251 (US)
75.178.99.71 (US)
72.172.44.180 (US)
167.172.146.42 (US)
66.249.66.64 (US)
137.184.60.64 (US)
206.189.205.176 (US)
137.184.188.114 (US)
203.161.42.130 (US)
103.99.179.19 (US)
208.105.193.45 (US)
174.138.56.152 (US)
66.249.69.41 (US)
157.230.187.143 (US)
146.190.129.112 (US)
64.227.7.1 (US)
198.23.221.34 (US)
216.172.190.206 (US)
161.35.231.77 (US)
92.118.112.153 (US)
66.249.65.224 (US)
68.178.200.48 (US)
162.240.109.153 (US)
66.249.69.34 (US)
54.176.7.196 (US)
107.175.39.135 (US)
45.55.38.69 (US)
23.94.202.142 (US)
148.72.64.105 (US)
159.89.233.182 (US)
146.190.155.141 (US)
50.6.196.110 (US)
34.85.163.94 (US)
104.28.157.113 (US)
グループ 14 (120個のIP):
117.50.185.16 (CN)
61.154.11.185 (CN)
14.103.116.192 (CN)
218.92.0.228 (CN)
125.72.54.172 (CN)
14.103.132.206 (CN)
113.125.36.77 (CN)
203.33.206.106 (CN)
59.68.63.123 (CN)
27.17.59.38 (CN)
218.92.0.222 (CN)
221.0.111.113 (CN)
36.110.172.218 (CN)
218.92.0.229 (CN)
101.66.172.251 (CN)
60.13.146.4 (CN)
106.36.198.78 (CN)
111.26.89.142 (CN)
39.174.209.153 (CN)
14.153.209.75 (CN)
203.34.48.55 (CN)
36.112.137.127 (CN)
218.92.0.219 (CN)
116.130.185.56 (CN)
121.41.175.243 (CN)
14.103.117.59 (CN)
218.92.0.236 (CN)
112.111.182.152 (CN)
36.138.132.109 (CN)
42.100.35.193 (CN)
218.92.0.220 (CN)
125.124.230.248 (CN)
220.250.58.23 (CN)
14.103.132.7 (CN)
49.64.169.153 (CN)
183.6.118.248 (CN)
117.50.178.36 (CN)
203.189.223.209 (CN)
59.34.217.89 (CN)
14.103.118.121 (CN)
180.76.180.94 (CN)
218.92.0.223 (CN)
14.103.115.225 (CN)
218.92.0.235 (CN)
218.92.0.217 (CN)
117.9.171.168 (CN)
61.147.232.114 (CN)
218.92.0.230 (CN)
123.160.166.21 (CN)
111.53.87.28 (CN)
36.137.188.245 (CN)
203.56.183.6 (CN)
211.95.135.58 (CN)
43.240.221.204 (CN)
183.56.244.224 (CN)
219.147.196.210 (CN)
183.167.198.31 (CN)
218.92.0.185 (CN)
180.100.74.196 (CN)
14.103.117.88 (CN)
218.92.0.221 (CN)
14.103.113.212 (CN)
113.90.141.147 (CN) (CN)
218.92.0.112 (CN)
218.92.0.226 (CN)
222.219.141.178 (CN)
14.103.115.172 (CN)
111.198.137.5 (CN) (CN)
218.92.0.225 (CN)
49.64.85.138 (CN)
115.190.100.46 (CN)
60.217.78.80 (CN)
218.92.0.184 (CN)
14.103.118.74 (CN)
61.188.205.76 (CN)
111.67.205.216 (CN)
111.42.133.43 (CN)
140.246.49.179 (CN)
218.92.0.227 (CN)
121.229.10.138 (CN)
218.92.0.218 (CN)
218.92.0.233 (CN)
121.224.78.164 (CN)
14.103.113.213 (CN)
1.63.226.147 (CN)
101.89.117.174 (CN)
120.39.211.167 (CN)
218.92.0.231 (CN)
113.88.211.68 (CN)
218.92.0.237 (CN)
218.78.80.243 (CN)
221.182.189.18 (CN)
140.246.119.125 (CN)
61.163.22.171 (CN)
218.92.0.216 (CN)
36.133.192.163 (CN)
218.92.0.114 (CN)
111.67.197.113 (CN)
101.126.142.185 (CN)
122.227.77.118 (CN)
101.254.166.52 (CN)
36.212.227.224 (CN)
218.92.0.198 (CN)
14.103.118.167 (CN)
219.147.74.48 (CN)
114.217.52.115 (CN)
183.56.201.7 (CN)
120.25.154.5 (CN)
101.126.92.215 (CN)
116.198.227.190 (CN)
120.238.70.36 (CN)
218.92.0.232 (CN)
14.103.92.40 (CN)
60.171.135.254 (CN)
183.238.185.114 (CN)
1.202.223.2 (CN)
101.126.54.88 (CN)
218.92.0.111 (CN)
グループ 15 (10個のIP):
193.32.162.79 (NL)
77.61.64.143 (NL)
193.32.162.131 (NL)
128.199.33.46 (NL)
193.32.162.132 (NL)
185.224.3.211 (NL)
81.161.238.41 (NL)
193.32.162.136 (NL)
193.32.162.133 (NL)
34.91.0.68 (NL)
グループ 41 (12個のIP):
103.30.194.191 (SG)
148.72.246.251 (SG)
167.71.223.38 (SG)
97.74.83.185 (SG)
167.71.205.250 (SG)
167.172.87.35 (SG)
157.230.36.221 (SG)
68.183.228.15 (SG)
103.189.235.46 (SG)
128.199.174.17 (SG)
148.66.132.190 (SG)
152.32.219.39 (SG)
グループ 48 (14個のIP):
104.236.206.98 (US)
143.198.130.72 (US)
24.144.110.238 (US)
143.110.239.37 (US)
104.236.121.51 (US)
134.122.0.63 (US)
192.210.149.60 (US)
164.92.64.146 (US)
209.38.129.40 (US)
64.23.136.79 (US)
146.190.41.101 (US)
159.223.151.159 (US)
143.198.58.150 (US)
23.94.194.145 (US)
グループ 54 (22個のIP):
64.227.128.72 (IN)
14.195.36.118 (IN)
122.163.122.138 (IN)
117.247.239.202 (IN)
103.182.161.204 (IN)
103.241.147.147 (IN)
20.193.141.133 (IN)
20.197.38.218 (IN)
115.245.191.82 (IN)
49.204.74.149 (IN)
117.248.104.34 (IN)
45.248.25.226 (IN)
115.187.61.70 (IN)
52.140.61.101 (IN)
122.186.237.30 (IN)
103.176.138.75 (IN)
136.232.203.134 (IN)
122.186.237.29 (IN)
123.252.238.214 (IN)
182.79.15.118 (IN)
136.232.94.34 (IN)
159.65.147.20 (IN)
グループ 58 (21個のIP):
14.103.118.146 (CN)
113.219.174.145 (CN)
14.103.115.5 (CN)
223.245.214.109 (CN)
106.227.5.54 (CN)
101.126.143.162 (CN)
175.178.194.90 (CN)
143.64.168.136 (CN)
117.185.38.2 (CN)
36.134.69.15 (CN)
221.216.7.58 (CN)
49.7.154.4 (CN)
218.78.111.107 (CN)
14.108.213.7 (CN)
36.133.170.211 (CN) (CN)
119.188.168.58 (CN)
120.35.20.65 (CN)
14.29.160.20 (CN)
106.12.170.98 (CN)
114.220.176.169 (CN)
グループ 67 (13個のIP):
14.225.202.217 (VN)
116.118.48.183 (VN)
171.244.63.241 (VN)
116.110.95.177 (VN)
116.110.88.34 (VN)
103.90.227.171 (VN)
116.98.168.250 (VN)
14.241.229.103 (VN)
116.98.164.206 (VN)
14.172.44.158 (VN)
14.225.3.79 (VN)
116.110.126.74 (VN)
103.149.28.105 (VN)
グループ 78 (22個のIP):
103.31.39.66 (ID)
103.176.78.100 (ID)
103.117.56.147 (ID)
103.176.79.117 (ID)
103.139.193.116 (ID)
103.183.75.218 (ID)
103.154.77.2 (ID)
103.49.238.104 (ID)
103.217.145.120 (ID)
103.174.114.176 (ID)
103.193.178.246 (ID)
116.193.191.138 (ID)
203.145.34.156 (ID)
202.157.176.210 (ID)
103.196.154.42 (ID)
103.176.78.13 (ID)
36.71.189.26 (ID)
103.193.178.116 (ID)
38.47.76.184 (ID)
103.148.100.1 (ID)
103.174.114.50 (ID)
103.157.25.4 (ID)
グループ 119 (11個のIP):
52.183.128.237 (IN)
157.66.144.15 (IN)
47.247.25.218 (IN)
14.99.254.18 (IN)
165.154.201.122 (IN)
103.211.219.50 (IN)
64.227.146.240 (IN)
103.180.176.7 (IN)
114.143.74.50 (IN)
59.92.213.249 (IN)
74.225.218.89 (IN)
Group 138 (10 IPs):
111.67.201.36 (CN)
220.203.12.53 (CN)
150.139.201.247 (CN)
123.138.71.70 (CN)
116.181.10.129 (CN)
218.60.50.226 (CN)
14.103.116.0 (CN)
113.134.212.242 (CN)
59.34.57.200 (CN)
222.173.82.198 (CN)
グループ 141 (11個のIP):
104.248.57.206 (US)
167.71.104.237 (US)
143.198.117.46 (US)
24.8.11.101 (US)
74.211.101.139 (US)
165.227.66.170 (US)
103.142.87.225 (US)
159.223.200.65 (US)
34.122.106.61 (US)
159.223.98.243 (US)
162.144.85.107 (US)
グループ 148 (12個のIP):
180.252.207.213 (ID)
36.64.211.93 (ID)
27.112.78.164 (ID)
103.52.115.223 (ID)
210.79.191.108 (ID)
103.176.79.210 (ID)
103.139.193.239 (ID)
202.51.214.98 (ID)
103.171.85.186 (ID)
103.63.25.12 (ID)
103.183.74.130 (ID)
202.157.189.21 (ID)
グループ 265 (11個のIP):
111.67.195.17 (CN)
14.103.114.221 (CN)
120.48.27.190 (CN)
14.103.111.127 (CN)
113.134.211.60 (CN)
14.103.161.171 (CN)
122.115.225.109 (CN)
14.103.117.91 (CN)
140.249.222.85 (CN)
220.181.77.166 (CN)
14.29.207.189 (CN)
グループ 267 (17個のIP):
185.191.171.7 (US)
57.141.3.16 (US)
40.77.167.75 (US)
185.191.171.9 (US)
85.208.96.206 (US)
23.98.179.19 (US)
57.141.3.14 (US)
192.0.89.215 (US)
147.185.132.27 (US)
57.141.3.29 (US)
52.167.144.186 (US)
209.85.238.71 (US)
20.42.10.177 (US)
57.141.3.26 (US)
69.63.189.114 (US)
34.221.224.187 (US)
23.98.179.20 (US)
グループ 279 (11個のIP):
178.62.28.72 (GB)
165.22.125.55 (GB)
134.122.101.129 (GB)
206.189.26.115 (GB)
165.22.115.91 (GB)
206.189.119.218 (GB)
161.35.32.24 (GB)
139.59.188.13 (GB)
209.97.184.228 (GB)
165.22.126.119 (GB)
167,172,58,240 (GB)
Group 456 (10 IPs):
106.12.167.36 (CN)
113.31.107.103 (CN)
180.76.121.98 (CN)
180.167.153.230 (CN)
121.229.31.33 (CN)
124.114.180.50 (CN)
223.100.248.64 (CN)
101.126.148.106 (CN)
120.245.136.79 (CN)
14.103.114.136 (CN)
IP belonging to a legitimate private company:
- Some Russian and American IPs are assigned to legitimate companies
- They may have compromised a company’s infrastructure and become part of a botnet
IP of national carrier:
- In China and India, IPs from state-run carriers are heavily used
- These operators are larger and tend to be slower to respond to reports of unauthorized access
Hosting provider IP:
- In Indonesia, Vietnam, etc., there are many IPs of cloud hosting providers
- These providers are sensitive to violations of their terms of service and will often respond quickly if you report them
PPPoE dynamic address pool:
These are likely part of a botnet
Cases of what appears to be home computers being compromised have been seen in the United States and Russia
Conclusion
Using security tools such as fail2ban, you can find out the IP of the person attempting unauthorized access. On Linux, you can identify the attacker’s information using the whois or dig commands, so if you have a server, you might want to check it out.
Please use AbuselIP to check and, if necessary, report the attacker’s IP information.
$ whois IP-ADRESS
# もしくは
$ dig IP-ADRESS
The commands used for this work are summarized below, so please use them as a reference.
Graphs and group extraction parts are created using Python.
Creation steps
I created a directory under my home directory and copied all the fail2ban logs in /var/log. We also decompress compressed files (*.xz) as needed.
# 作業用フォルダ作成
$ mkdir ~/log; cd ~/log
$ sudo cp /var/log/fail2ban.log* .
# 今回作業するユーザー・グループのものに権限を変更
$ sudo chown USER:GROUP fail2ban.log*
$ xz -d *.xz
Next, we used the grep command to extract the lines containing the string “Ban” and output them to a file called Ban.log. This process allows you to see a list of which IP addresses were blocked and at what timing.
$ grep "Ban " /var/log/fail2ban.log* > Ban.log
Check with the tail command, etc., and if it is retrieved without any problems, it is okay
$ tail Ban.log
fail2ban.log-newest:2025-04-07 10:30:20,336 fail2ban.actions [1724]: NOTICE [sshd] Ban 118.36.34.88
fail2ban.log-newest:2025-04-07 10:30:54,554 fail2ban.actions [1724]: NOTICE [sshd] Ban 146.190.129.112
fail2ban.log-newest:2025-04-07 10:32:47,790 fail2ban.actions [1724]: NOTICE [sshd] Ban 58.211.191.14
fail2ban.log-newest:2025-04-07 10:40:26,330 fail2ban.actions [1724]: NOTICE [sshd] Ban 64.23.185.5
fail2ban.log-newest:2025-04-07 10:44:37,491 fail2ban.actions [1724]: NOTICE [apache-fakegooglebot] Ban 66.249.66.88
fail2ban.log-newest:2025-04-07 10:49:03,875 fail2ban.actions [1724]: NOTICE [sshd] Ban 92.255.85.107
fail2ban.log-newest:2025-04-07 10:51:29,131 fail2ban.actions [1724]: NOTICE [sshd] Ban 43.156.246.95
fail2ban.log-newest:2025-04-07 10:52:59,972 fail2ban.actions [1724]: NOTICE [sshd] Ban 92.255.85.37
fail2ban.log-newest:2025-04-07 10:58:06,057 fail2ban.actions [1724]: NOTICE [sshd] Ban 188.81.58.46
fail2ban.log-newest:
After that, I formatted it using the sed command and regular expressions to create a CSV with only the date and IP address.
$ cat Ban.log | grep "NOTICE" | sed -E 's/.*([0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}).*Ban ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1,\2/' > banned.csv
# 抜けがないかチェック
$ wc -l banned.csv Ban.log
26010 banned.csv
26010 Ban.log
52020 total
# 日付とIPだけになっていればOK
$ tail banned.csv
2025-04-07 10:30:20,118.36.34.88
2025-04-07 10:30:54,146.190.129.112
2025-04-07 10:32:47,58.211.191.14
2025-04-07 10:40:26,64.23.185.5
2025-04-07 10:44:37,66.249.66.88
2025-04-07 10:49:03,92.255.85.107
2025-04-07 10:51:29,43.156.246.95
2025-04-07 10:52:59,92.255.85.37
2025-04-07 10:58:06,188.81.58.46
2025-04-07 11:00:45,103.132.16.142
# ログファイルの関係上、同一行があったり、時系列がおかしい方向け
sort banned.csv | uniq > sort_banned.csv
Since it is difficult to tell from which country the access is coming from just by using the IP address, this time we decided to use the country-specific database of IP2Location-Lite. Download the URL below and unzip it.
wget -q https://download.ip2location.com/lite/IP2LOCATION-LITE-DB1.CSV.ZIP
unzip -q IP2LOCATION-LITE-DB1.CSV.ZIP
Next, I created a shell script make.sh that converts the IP address into a numerical value for the existing banned.csv (a file in which only the date and time and IP address are recorded) and searches for the corresponding country information from the IP2Location CSV file.
#!/bin/bash
input_file="banned.csv" # sortした場合はこちらも修正
output_file="banned_with_country.csv"
ip_db_file="IP2LOCATION-LITE-DB1.CSV"
cleanup() {
rm -f tmp_input.csv tmp_db.csv
}
trap cleanup EXIT
# 前処理:特殊文字除去とCSV正規化
awk '{ gsub(/["\r]/,""); print }' "$input_file" > tmp_input.csv
awk '{ gsub(/["\r]/,""); print }' "$ip_db_file" > tmp_db.csv
ip_to_num() {
local ip=$1
local -n num=$2
num=0
for ((i=0; i<4; i++)); do
((num += ${ip%%.*} * (256 ** (3 - i))))
ip=${ip#*.}
done
}
while IFS=, read -r timestamp ip; do
ip_to_num "$ip" ip_num 2>/dev/null || continue
country=$(awk -F, -v t="$ip_num" '
$1 <= t && t <= $2 && $3 != "-" { print $3; exit }' tmp_db.csv)
echo "$timestamp,$ip,$country" >> "$output_file"
echo -n "."
done < tmp_input.csv
echo
If the output is as shown below, it is complete. *Please check some IPs directly with AbuseIPDB etc. and check if they are output correctly
$ tail banned_with_country.csv
2025-04-07 10:30:20,118.36.34.88,KR
2025-04-07 10:30:54,146.190.129.112,US
2025-04-07 10:32:47,58.211.191.14,CN
2025-04-07 10:40:26,64.23.185.5,US
2025-04-07 10:44:37,66.249.66.88,US
2025-04-07 10:49:03,92.255.85.107,RU
2025-04-07 10:51:29,43.156.246.95,SG
2025-04-07 10:52:59,92.255.85.37,RU
2025-04-07 10:58:06,188.81.58.46,PT
2025-04-07 11:00:45,103.132.16.142,IN