Geolocation of worst offenders who try to probe/hack your site?
Every time I look at my raw logfiles, I'm amazed at the number of people who are trying to probe or hack my websites. Most of the time it's obvious they are using some dumb script and they are probing for vulnerabilities with common apps like WordPress, etc. And while they are annoying, they are generally nothing to worry about if you've patched your server and run the usual protections, firewall, lock down your apps, etc., -- all the normal things you should do.
If you haven't done so recently, take a look at your logfiles and see what's in there. It's fascinating.
Geographically, it's pretty diverse, with a lot of attempts from the usual expected places like China, Russia, Belarus, India, Vietnam, Singapore, plenty from the US too of course (New York and New Jersey being at the top of US activity for me, I'm guessing a lot of VPNs in the mix too, etc...). Been surprised to see more activity lately from Australia and Brazil though.
Anyway, curious what you see in your logfiles? Any surprise geolocations that pop out for you?
P..S.: Also, it kind of bugs me that a lot of these IPs are from "reputable" providers like Amazon, Digital Ocean, OVH, etc., and you'd think they'd care about shutting down so many users who are violating their TOS.
but it changes a lot from month to month, biggest ISPs is Digital Ocean and OVH
You never received from Colocrossing, QuadraNet?
So much from China and India and ColoCrossing.
Now that surprises me. A country of 11 million people. Interesting. All the others in your list have about 6-130 TIMES the population!
It’s so much China that I sometimes wonder if it’s worth doing the math to see if the decreased load from blocking China would be worth more money than refunding every customer in China. That I even question it just goes to show how absurd the volume is.
China, Russia, India, Pakistan etc
ik but the population doesn't always tell the spammers rate
I am getting many spammers/bots from Dominican for some reason
Dropping all traffic from ColoCrossing, DediPath, OVH, M247, QuadraNet, China, India, and Hetzner (as well as any provider offering free trials or free credit) basically reduces abuse to 0. Listed the biggest offenders but there's definitely more. ColoCrossing and DediPath are where most of the layer 7 DDoS originates from, and I've gotten some massive floods from DO/Linode.
If I ask Graylog for the offenders with most failed logins in the sshd logfiles or the last 30 days and plot them with geoip I get this. Note that these are the ones that got past fail2ban, so the worst crap is already discarded.
The data is collected from ~30 vps's in various locations.
I get total 14430 IPs from worldwide that try to guess the email account password.
All IPs are here,zero false positive
I've wondered something similar. Does it make sense to block an entire country when 99.5%+ of the traffic from that country is made up of attacks and probes? I don't run an email service like you obviously, but I imagine it's a real financial equation for you. But then on the other hand, I think, well, in my case there's 0.5% (or less) traffic that is actually legit, so I want to provide content/service/whatever to that tiny group of individuals too. So I never close the door, but in your case you probably have some real costs involved. Interesting problem to deal with.
Indeed, population doesn't always correlate, but it sure is interesting that of all the countries on your list, Dominican Republic pops up with the frequency it does for you. I wonder about seeming anomalies like that, and what might have triggered it.
In my case, Australia and Brazil have been popping up more than expected, it's so strange and I have no idea why. And there may not be a good answer -- other than it could be just random patterns and fluctuations and statistical curves over time, like bird migrations. Next month it might be Dominican Republic for me too! Or maybe there is something related to IP ranges, content that attracts attention, or release cycles of script tools that are popular in different regions, etc...? Who knows.
Very cool graph... thanks for doing that.
I already have the data in Graylog so it's just a matter of creating a dashboard. Graylog is actually quite powerful and often underestimated.
It actually made me realize that I could use all this data and forcefeed it to fail2ban.
Just looking at the top origins with failed logins past 24 hours it's quite easy to easily identify networks that should have been blocked already. I don't know who 61.177.x.x is but I'm pretty sure its not someone I wish to communicate with.
Was China until I used Crowdsec to ban all 110 million IP's from Chinanet on all my servers.
Now it's honestly a fairly even mix most of the time.
Does it vary depending on the location of the target? (My guess is no.)
In my case, no. I get pretty similar results, although actually I have one service in northern Europe that seems to get more attacks from Russia, etc... So maybe it varies a little by location? Maybe some of the attacks are focusing on datacenters that are closer to them? Curious what other people see.
Lot of Taiwan IP's being blocked lately.
I can not see that the geographical location make any noticeable difference, however it does seem like certain ip ranges are more targeted then other.
I also have one vps that seems to attract a lot of interest from south america. I have no idea why, geographically it is not even close, but it always has a lot more attempts from south america than any of my other vps's. I have vps's that are actually located in south america that get way less hits than this one, so it must have something to do with that particular ip range.
Interesting new pattern I just noticed for the first time.... I just registered a few new domain names and set up basic hosting for them (just a landing page), and all of them are being attacked much more than older domains that also have similar landing pages and/or are on the same servers.
I suppose that makes sense since they are so new and people want to see if there are any vulnerabilities before someone else can exploit them, but I've never noticed that before. It's also kind of creepy that they pounce so quickly.
Attacks are from about the same geo locations though. No surprises there.
Here's a list of 20k IPs Fail2Ban has blocked on one of my servers.
Nice to know bots are being fed regularly. Starting to worry about them a bit.
Well I guess it does go to show that we shouldn't be too lazy when setting up a new domain. If someone thinks, "nahhh, nobody knows about this domain yet, so no one is going to attack it yet," then think again. Because someone is watching new domain registrations and I think you're right, feeding them into some database for bots, like you say.
Just setup a scraper funnel to a bot. Blamo got your unattended hacking, jacking, script kiddie, what ever you want to call it thingamadohickey and think you are elite or something.
Yep. That would do it.
BTW, thinking about this makes me even more impressed at how robust open source software can be when properly configured. I mean with the insane onslaught of attacks that happen daily, it's pretty cool that millions of servers just keep on spinning away serving legit traffic.
Yeape it is amazing sometimes. Always a better mouse trap as they say.
In the past, you could not install Microsoft Windows on a system that was open to the internet. You had to do it behind a firewall. Otherwise, attackers would infect your new system before you could download and install the patches that protected against the vulnerabilities that they just exploited.
Today's "fresh domain attacks" may be probing for an "opportunity window" between when the server first appears and when it is fully patched. That is one possible explanation of many, I'm sure.