Counting SSH break-in attempts by country

Learning that lasts. Online courses from $14.99

Yesterday, I installed Fail2Ban on a CentOS 7 server after noticing SSH break-in attempts by password guessing. Today, I checked the fail2ban log to see how many IP addresses were banned and whether after being banned for an hour there were any subsequent password guessing attempts from the same IP address. I saw that 40 IP addresses had been banned since I installed Fail2Ban last night and that some of those addresses had been banned multiple times. You can count the number of times an IP address has been banned by using the awk command awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n. You can pipe the output of that command to the wc command wc -l to count the total number of lines which tells you the number of IP addresses that have been banned as explained at Fail2ban logging. 

[root@moonpoint ~]# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | s
ort | uniq -c | sort -n
      1 103.50.219.194
      1 104.200.134.181
      1 104.244.77.37
      1 107.189.14.174
      1 107.189.14.230
      1 107.189.14.41
      1 107.189.1.96
      1 107.189.31.223
      1 107.189.8.233
      1 183.157.169.70
      1 183.195.121.197
      1 205.185.123.33
      1 205.185.124.131
      1 209.141.42.29
      1 221.131.165.50
      1 221.131.165.56
      1 221.181.185.151
      1 221.181.185.198
      1 222.186.30.112
      1 222.187.254.41
      1 64.225.49.153
      1 71.9.165.219
      2 104.244.76.64
      2 107.189.12.163
      2 209.141.36.75
      2 209.141.40.64
      2 221.131.165.65
      2 222.186.30.76
      2 222.187.232.39
      3 107.189.13.104
      3 45.61.184.115
      3 70.62.137.84
      4 187.149.76.88
      4 189.85.145.113
      4 205.185.122.239
      4 209.141.57.74
      4 210.73.207.44
      4 222.186.42.137
      5 209.141.34.165
      5 89.211.207.62
[root@moonpoint ~]# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | s
ort | uniq -c | sort -n | wc -l
40
[root@moonpoint ~]#

I was curious as to which countries the attacks were orginating from, so I used the geoiplookup tool I had installed on the system (it is provided by the GeoIP package). So I modified the command above and piped its output to the xargs command to list the country assocated with each IP address—use the -n option to the command to have xargs take just argument, i.e., one line from the output of the prior command piped to it. I.e. awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq | xargs -n 1 geoiplookup.

[root@moonpoint ~]# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | s
ort | uniq | xargs -n 1 geoiplookup
GeoIP Country Edition: IN, India
GeoIP Country Edition: US, United States
GeoIP Country Edition: LU, Luxembourg
GeoIP Country Edition: LU, Luxembourg
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: LU, Luxembourg
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: CN, China
GeoIP Country Edition: CN, China
GeoIP Country Edition: MX, Mexico
GeoIP Country Edition: BR, Brazil
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: CN, China
GeoIP Country Edition: CN, China
GeoIP Country Edition: CN, China
GeoIP Country Edition: CN, China
GeoIP Country Edition: CN, China
GeoIP Country Edition: CN, China
GeoIP Country Edition: CN, China
GeoIP Country Edition: CN, China
GeoIP Country Edition: CN, China
GeoIP Country Edition: CN, China
GeoIP Country Edition: CN, China
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: US, United States
GeoIP Country Edition: QA, Qatar
[root@moonpoint ~]#

I wanted to know the number of IP addresses banned per country to see which country was the most frequent source of break-in attempts, so I used the command below. I used the comma on each line as the delimiter for the cut command and specified that I wanted the field after the comma to get just the country. I then sorted the output so I could use the uniq command to count the number of entries per each country.

[root@moonpoint ~]# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | s
ort | uniq | xargs -n 1 geoiplookup | cut -d "," -f 2 | sort | uniq -c
      1  Brazil
     13  China
      1  India
      3  Luxembourg
      1  Mexico
      1  Qatar
     20  United States
[root@moonpoint ~]#

I thought China might be the most frequent source of break-in attempts, but there were many more attempts from IP addresses assigned to systems in the United States.

Related:

  1. Monitoring Failed SSH Logins to a CentOS System
    Date: November 9, 2014
  2. Using fail2ban on a CentOS 7 system
    Date: April 1, 2016
  3. Fail2ban logging
    Date: April 9, 2016
  4. Break-in attempts via SSH from 221.131.165.50
    Date: October 23, 2021