Why You Should Secure Your Server (part 2)
I continue my analysis of SSH logs I obtained from my informal experiment I started in the previous article.
This time I use a tool to lookup the location of the entries in the file and share where access are coming from to my server.
You will learn how to use GeoIP to lookup physical location of IP addresses and which countries like to do port scans.
This article will take you about five minutes to read.
Introduction
In my last article, I started an experiment by opening the SSH port on my cloud server. I collected an analyzed the logs to find that I am not the only person trying to access my private server.
GeoIP
The GeoIP tool from MaxMind allows one to lookup the physical source of an IP address.
I have IP addresses of the top port scanners of my server, from each entry in the SSH log as:
Jan 11 08:34:21 ip-172-31-1-163 sshd[2245]: Received disconnect from 221.194.44.195: 11: [preauth]
Let’s using the GeoIP tool directly, we can find the origin of these port scanners:
geoiplookup 155.133.16.246| scans | IP Address | Country |
|---|---|---|
| 4685 | 155.133.16.246 | PL, Poland |
| 1000 | 61.183.15.243 | CN, China |
| 706 | 113.5.255.22 | CN, China |
| 675 | 81.212.109.229 | TR, Turkey |
| 658 | 121.248.150.13 | CN, China |
From the list, the top port scanners came from three countries:
- Poland
- China
- Turkey
One person in Poland did more than 4k scans on my server? Wow, that’s aggressive number of port scan to do in one month.
Question: All Port scan origins?
These were the top port scanners, how about the 14k other port scanners? Are they all just from these three countries?
Let’s look up the countries of all port scans entries in GeoIP:
cat auth.log | grep -oE 'Received disconnect.*' |
awk '{ print $4 }' | sed -n -e 's/://p' |
awk '{ print $0 system("geoiplookup " $1) }' | tr '\n' '|' |
xargs -n 2 -d '|' | sed -n -e 's/0$//p' |
sed -n -e 's/GeoIP Country Edition: //p' |
awk '{ printf("%s %s\n", $(NF), $0 ) } END { print }' |
awk '{ $(NF)=""; print $0 }' | head -n -1 |
awk '{ $1=""; print $0 }' | sort | uniq -c | sort -n | tail| scans | Country |
|---|---|
| 5627 | CN, China |
| 4686 | PL, Poland |
| 762 | US, United States |
| 743 | TR, Turkey |
| 609 | IT, Italy |
| 518 | KR, Korea, Republic of |
| 439 | NL, Netherlands |
| 379 | GB, United Kingdom |
| 228 | RU, Russian Federation |
| 140 | VN, Vietnam |
Individually, one person from Poland did the most port scans, as a group, China did the most port scans.
At 10k port scans over a month, there would be a port scan every five minutes on your server from either Poland or China!
Total Number of Countries?!
Now I am wondering, what are the number of different countries show up in my logs??
cat auth.log | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |
awk '{ print $0 system("geoiplookup " $1) }' | tr '\n' '|' |
xargs -n 2 -d '|' | sed -n -e 's/0$//p' |
sed -n -e 's/GeoIP Country Edition: //p' |
awk '{ printf("%s %s\n", $(NF), $0 ) } END { print }' |
awk '{ $(NF)=""; print $0 }' | head -n -1 | sort | uniq -c | wc -lThere are 41 different countries that show up in the SSH log. The UN recognizes 193 countries in the world, this means, 20% of the countries in the world were trying to access my server!
Conclusion
In the first part, I analyzed my SSH logs and find that there are people other than me aggressively connecting to my server using SSH to login and port scans to find weaknesses.
This time, I use the GeoIP tool from MaxMind to reverse lookup the IP addresses in the logs and show these connections are coming from all over the world, from the data, Poland and China stand out above the rest, including the US, Turkey, Italy, and South Korea.
Access distribution per country is not a blanket: every single person in that country is actively connecting to my server, a few people in that country are relentless in their attempts to exploit my server.
In the next and final part, I show two methods to secure your server that is convenient and let’s you sleep at night.