Recently my system's been getting bothered by evildoers around the world. Probably nothing personal, but just a bunch of port-scanning password-guessing bots. Never mind that they're always trying to log-in as "root" (who has no SSH access), but there's nothing of real value on my systems (that isn't accessible by HTTP, anyway). They just want to have my machine available to do their evilness.

A while ago I tinkered with checking my authorization log for unauthorized attempts, and came up with this little snippet:

grep "authentication failure" /var/log/auth.log.1 | grep ssh | awk '{ print $14 " " $15 " " $16; }' | sort | uniq -c | sort -n

It checks yesterday's log (today's is named "auth.log") and prints out the list of attempts, grouped and counted, so the most attempts are listed last.

Here's what the output looked like:

 1 rhost=121.9.238.235 user=root 
 2 rhost=184-106-138-164.static.cloud-ips.com  
 2 rhost=188.132.184.23  
13 rhost=184-106-138-164.static.cloud-ips.com user=root 
43 rhost=188.132.184.23 user=root 

What I've done is added (sometimes having to ping to get the IP) the network on which the offenders are coming from. It works out that most of the attempts are coming from China, Korea, Japan, Brazil, Russia, and other such places where I'm fairly certain I won't be visiting and still trying to SSH to my servers.

Since I've been adding them to my firewall's profile (disallowing SSH, but still letting them through HTTP, so they can also read this...), I've amassed about a hundred networks, but it wasn't seeming to be enough to make it stop.

I poked around the Google-sphere and found I'm not alone in my desires to stop such unwanted access. They've got some sample scripts, but their examples are more oriented toward total denial (probably a better idea...not sure how many Chinese are actually reading my blog...). Most intriguing is that I found a site, ipdeny.com, and they have a list of IP networks by country. I did a quick "wget" and snagged their big list , broke that out and added the ones that seemed to bother me most with a script like this:

cat af.zone cn.zone in.zone ru.zone tr.zone vn.zone ua.zone br.zone ve.zone kp.zone | while read iprange ; do echo "-A UNWANTEDSSH -p tcp -m tcp -s ${iprange} --dport 22 -j REJECT" >> unwantedssh.rules; done

It creates an iptables entry that matches my chain (named UNWANTEDSSH) to reject SSH requests from the IP range in the file. I then attached this to the end of my iptables rules file (in /etc/iptables.up.rules on my system...yours may be different).

Downside is that now there are 9000 rules. Upside is that I shouldn't be bothered by unwanted SSH attempts from China, India, Japan, Brazil, Russia, and all those other places I'm not (nor are the other legitimate users of my system).

I figure my new approach will be to check, and when I see violations, I'll identify the country from which the offender originates their request, and I'll add them to my list. Entire countries at a time instead of one network at a time.