Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Geolocation of worst offenders who try to probe/hack your site?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Geolocation of worst offenders who try to probe/hack your site?

Every time I look at my raw logfiles, I'm amazed at the number of people who are trying to probe or hack my websites. Most of the time it's obvious they are using some dumb script and they are probing for vulnerabilities with common apps like WordPress, etc. And while they are annoying, they are generally nothing to worry about if you've patched your server and run the usual protections, firewall, lock down your apps, etc., -- all the normal things you should do.

If you haven't done so recently, take a look at your logfiles and see what's in there. It's fascinating.

Geographically, it's pretty diverse, with a lot of attempts from the usual expected places like China, Russia, Belarus, India, Vietnam, Singapore, plenty from the US too of course (New York and New Jersey being at the top of US activity for me, I'm guessing a lot of VPNs in the mix too, etc...). Been surprised to see more activity lately from Australia and Brazil though.

Anyway, curious what you see in your logfiles? Any surprise geolocations that pop out for you?

P..S.: Also, it kind of bugs me that a lot of these IPs are from "reputable" providers like Amazon, Digital Ocean, OVH, etc., and you'd think they'd care about shutting down so many users who are violating their TOS.

«1

Comments

    1. INDIA
    2. USA
    3. VIETNAM

    but it changes a lot from month to month, biggest ISPs is Digital Ocean and OVH

  • sandozsandoz Veteran
    edited January 2023
    1. China
    2. India, Bangladesh, Pakistan (Microsoft Support scams..... uhhh)
    3. US

    @kait said:
    1. INDIA
    2. USA
    3. VIETNAM

    but it changes a lot from month to month, biggest ISPs is Digital Ocean and OVH

    You never received from Colocrossing, QuadraNet?

  • So much from China and India and ColoCrossing.

  • kdhkdh Member
    1. China
    2. USA
    3. India
    4. Germany
    5. France
    6. Dominican Republic
  • @kdh said:
    6. Dominican Republic

    Now that surprises me. A country of 11 million people. Interesting. All the others in your list have about 6-130 TIMES the population!

  • jarjar Patron Provider, Top Host, Veteran

    It’s so much China that I sometimes wonder if it’s worth doing the math to see if the decreased load from blocking China would be worth more money than refunding every customer in China. That I even question it just goes to show how absurd the volume is.

  • China, Russia, India, Pakistan etc

  • kdhkdh Member

    @jlet88 said:

    @kdh said:
    6. Dominican Republic

    Now that surprises me. A country of 11 million people. Interesting. All the others in your list have about 6-130 TIMES the population!

    ik but the population doesn't always tell the spammers rate :smile:
    I am getting many spammers/bots from Dominican for some reason

  • Dropping all traffic from ColoCrossing, DediPath, OVH, M247, QuadraNet, China, India, and Hetzner (as well as any provider offering free trials or free credit) basically reduces abuse to 0. Listed the biggest offenders but there's definitely more. ColoCrossing and DediPath are where most of the layer 7 DDoS originates from, and I've gotten some massive floods from DO/Linode.

  • If I ask Graylog for the offenders with most failed logins in the sshd logfiles or the last 30 days and plot them with geoip I get this. Note that these are the ones that got past fail2ban, so the worst crap is already discarded.
    The data is collected from ~30 vps's in various locations.

    Thanked by 2ehab let_rocks
  • I get total 14430 IPs from worldwide that try to guess the email account password.

    All IPs are here,zero false positive
    https://we.tl/t-DHEt7i5eCT

  • @jar said:
    It’s so much China that I sometimes wonder if it’s worth doing the math to see if the decreased load from blocking China would be worth more money than refunding every customer in China. That I even question it just goes to show how absurd the volume is.

    I've wondered something similar. Does it make sense to block an entire country when 99.5%+ of the traffic from that country is made up of attacks and probes? I don't run an email service like you obviously, but I imagine it's a real financial equation for you. But then on the other hand, I think, well, in my case there's 0.5% (or less) traffic that is actually legit, so I want to provide content/service/whatever to that tiny group of individuals too. So I never close the door, but in your case you probably have some real costs involved. Interesting problem to deal with.

    Thanked by 1jar
  • @kdh said:

    @jlet88 said:

    @kdh said:
    6. Dominican Republic

    Now that surprises me. A country of 11 million people. Interesting. All the others in your list have about 6-130 TIMES the population!

    ik but the population doesn't always tell the spammers rate :smile:
    I am getting many spammers/bots from Dominican for some reason

    Indeed, population doesn't always correlate, but it sure is interesting that of all the countries on your list, Dominican Republic pops up with the frequency it does for you. I wonder about seeming anomalies like that, and what might have triggered it.

    In my case, Australia and Brazil have been popping up more than expected, it's so strange and I have no idea why. And there may not be a good answer -- other than it could be just random patterns and fluctuations and statistical curves over time, like bird migrations. Next month it might be Dominican Republic for me too! Or maybe there is something related to IP ranges, content that attracts attention, or release cycles of script tools that are popular in different regions, etc...? Who knows.

  • @rcy026 said:

    Very cool graph... thanks for doing that.

  • 1.France 2.US

  • @jlet88 said:

    @rcy026 said:

    Very cool graph... thanks for doing that.

    I already have the data in Graylog so it's just a matter of creating a dashboard. Graylog is actually quite powerful and often underestimated. :smile:

    It actually made me realize that I could use all this data and forcefeed it to fail2ban.
    Just looking at the top origins with failed logins past 24 hours it's quite easy to easily identify networks that should have been blocked already. I don't know who 61.177.x.x is but I'm pretty sure its not someone I wish to communicate with.

    Origin_ip  Failed_logins
    61.177.172.19   483
    61.177.173.35   448
    61.177.172.90   432
    61.177.173.53   431
    61.177.173.36   427
    195.226.194.142 426
    61.177.173.49   424
    61.177.173.48   416
    61.177.173.50   395
    61.177.172.108  394
    61.177.173.51   394
    195.226.194.242 382
    194.110.203.109 380
    61.177.173.46   371
    61.177.173.47   367
    61.177.173.52   361
    61.177.173.37   358
    61.177.172.104  342
    61.177.172.114  332
    61.177.172.98   330
    61.177.172.124  324
    61.177.173.39   317
    61.177.173.7    289
    61.177.173.22   265
    
    Thanked by 1jlet88
  • @rcy026 said:
    It actually made me realize that I could use all this data and forcefeed it to fail2ban.

    Good idea!

  • beanman109beanman109 Member
    edited January 2023

    Was China until I used Crowdsec to ban all 110 million IP's from Chinanet on all my servers.
    Now it's honestly a fairly even mix most of the time.

  • emgemg Veteran

    Does it vary depending on the location of the target? (My guess is no.)

  • @emg said:
    Does it vary depending on the location of the target? (My guess is no.)

    In my case, no. I get pretty similar results, although actually I have one service in northern Europe that seems to get more attacks from Russia, etc... So maybe it varies a little by location? Maybe some of the attacks are focusing on datacenters that are closer to them? Curious what other people see.

  • Lot of Taiwan IP's being blocked lately.

    Thanked by 1jlet88
  • @emg said:
    Does it vary depending on the location of the target? (My guess is no.)

    I can not see that the geographical location make any noticeable difference, however it does seem like certain ip ranges are more targeted then other.
    I also have one vps that seems to attract a lot of interest from south america. I have no idea why, geographically it is not even close, but it always has a lot more attempts from south america than any of my other vps's. I have vps's that are actually located in south america that get way less hits than this one, so it must have something to do with that particular ip range.

    Thanked by 1jlet88
  • Interesting new pattern I just noticed for the first time.... I just registered a few new domain names and set up basic hosting for them (just a landing page), and all of them are being attacked much more than older domains that also have similar landing pages and/or are on the same servers.

    I suppose that makes sense since they are so new and people want to see if there are any vulnerabilities before someone else can exploit them, but I've never noticed that before. It's also kind of creepy that they pounce so quickly.

    Attacks are from about the same geo locations though. No surprises there.

  • Here's a list of 20k IPs Fail2Ban has blocked on one of my servers.

    https://pastebin.com/ff7kRK0b

  • @jlet88 said:
    Interesting new pattern I just noticed for the first time.... I just registered a few new domain names and set up basic hosting for them (just a landing page), and all of them are being attacked much more than older domains that also have similar landing pages and/or are on the same servers.

    I suppose that makes sense since they are so new and people want to see if there are any vulnerabilities before someone else can exploit them, but I've never noticed that before. It's also kind of creepy that they pounce so quickly.

    Attacks are from about the same geo locations though. No surprises there.

    Nice to know bots are being fed regularly. Starting to worry about them a bit.

  • @AuroraZero said:

    @jlet88 said:
    Interesting new pattern I just noticed for the first time.... I just registered a few new domain names and set up basic hosting for them (just a landing page), and all of them are being attacked much more than older domains that also have similar landing pages and/or are on the same servers.

    I suppose that makes sense since they are so new and people want to see if there are any vulnerabilities before someone else can exploit them, but I've never noticed that before. It's also kind of creepy that they pounce so quickly.

    Attacks are from about the same geo locations though. No surprises there.

    Nice to know bots are being fed regularly. Starting to worry about them a bit.

    Well I guess it does go to show that we shouldn't be too lazy when setting up a new domain. If someone thinks, "nahhh, nobody knows about this domain yet, so no one is going to attack it yet," then think again. Because someone is watching new domain registrations and I think you're right, feeding them into some database for bots, like you say. :#

  • @jlet88 said:

    @AuroraZero said:

    @jlet88 said:
    Interesting new pattern I just noticed for the first time.... I just registered a few new domain names and set up basic hosting for them (just a landing page), and all of them are being attacked much more than older domains that also have similar landing pages and/or are on the same servers.

    I suppose that makes sense since they are so new and people want to see if there are any vulnerabilities before someone else can exploit them, but I've never noticed that before. It's also kind of creepy that they pounce so quickly.

    Attacks are from about the same geo locations though. No surprises there.

    Nice to know bots are being fed regularly. Starting to worry about them a bit.

    Well I guess it does go to show that we shouldn't be too lazy when setting up a new domain. If someone thinks, "nahhh, nobody knows about this domain yet, so no one is going to attack it yet," then think again. Because someone is watching new domain registrations and I think you're right, feeding them into some database for bots, like you say. :#

    Just setup a scraper funnel to a bot. Blamo got your unattended hacking, jacking, script kiddie, what ever you want to call it thingamadohickey and think you are elite or something.

  • @AuroraZero said:

    @jlet88 said:

    @AuroraZero said:

    @jlet88 said:
    Interesting new pattern I just noticed for the first time.... I just registered a few new domain names and set up basic hosting for them (just a landing page), and all of them are being attacked much more than older domains that also have similar landing pages and/or are on the same servers.

    I suppose that makes sense since they are so new and people want to see if there are any vulnerabilities before someone else can exploit them, but I've never noticed that before. It's also kind of creepy that they pounce so quickly.

    Attacks are from about the same geo locations though. No surprises there.

    Nice to know bots are being fed regularly. Starting to worry about them a bit.

    Well I guess it does go to show that we shouldn't be too lazy when setting up a new domain. If someone thinks, "nahhh, nobody knows about this domain yet, so no one is going to attack it yet," then think again. Because someone is watching new domain registrations and I think you're right, feeding them into some database for bots, like you say. :#

    Just setup a scraper funnel to a bot. Blamo got your unattended hacking, jacking, script kiddie, what ever you want to call it thingamadohickey and think you are elite or something.

    Yep. That would do it.

    BTW, thinking about this makes me even more impressed at how robust open source software can be when properly configured. I mean with the insane onslaught of attacks that happen daily, it's pretty cool that millions of servers just keep on spinning away serving legit traffic.

  • @jlet88 said:

    @AuroraZero said:

    @jlet88 said:

    @AuroraZero said:

    @jlet88 said:
    Interesting new pattern I just noticed for the first time.... I just registered a few new domain names and set up basic hosting for them (just a landing page), and all of them are being attacked much more than older domains that also have similar landing pages and/or are on the same servers.

    I suppose that makes sense since they are so new and people want to see if there are any vulnerabilities before someone else can exploit them, but I've never noticed that before. It's also kind of creepy that they pounce so quickly.

    Attacks are from about the same geo locations though. No surprises there.

    Nice to know bots are being fed regularly. Starting to worry about them a bit.

    Well I guess it does go to show that we shouldn't be too lazy when setting up a new domain. If someone thinks, "nahhh, nobody knows about this domain yet, so no one is going to attack it yet," then think again. Because someone is watching new domain registrations and I think you're right, feeding them into some database for bots, like you say. :#

    Just setup a scraper funnel to a bot. Blamo got your unattended hacking, jacking, script kiddie, what ever you want to call it thingamadohickey and think you are elite or something.

    Yep. That would do it.

    BTW, thinking about this makes me even more impressed at how robust open source software can be when properly configured. I mean with the insane onslaught of attacks that happen daily, it's pretty cool that millions of servers just keep on spinning away serving legit traffic.

    Yeape it is amazing sometimes. Always a better mouse trap as they say.

  • emgemg Veteran

    @jlet88 said:
    Interesting new pattern I just noticed for the first time.... I just registered a few new domain names and set up basic hosting for them (just a landing page), and all of them are being attacked much more than older domains that also have similar landing pages and/or are on the same servers.

    I suppose that makes sense since they are so new and people want to see if there are any vulnerabilities before someone else can exploit them, but I've never noticed that before. It's also kind of creepy that they pounce so quickly.

    Attacks are from about the same geo locations though. No surprises there.

    In the past, you could not install Microsoft Windows on a system that was open to the internet. You had to do it behind a firewall. Otherwise, attackers would infect your new system before you could download and install the patches that protected against the vulnerabilities that they just exploited.

    Today's "fresh domain attacks" may be probing for an "opportunity window" between when the server first appears and when it is fully patched. That is one possible explanation of many, I'm sure.

    Thanked by 1jlet88
Sign In or Register to comment.