GeoIP - SSH Brut Force - Identificando o país do IP de Origem

Informação sobre os últimos IP's SSH brute force

Instalar os pacotes:

GeoIP.x86_64 
GeoIP-GeoLite-data.noarch
GeoIP-GeoLite-data-extra.noarch

Criar uma conta em:

https://www.maxmind.com/en/geoip2-databases

Gerar as chaves de download em:

https://www.maxmind.com/en/accounts/

Configurar o arquivo:

/etc/GeoIP.conf

Listando os IP's e a quantidade de tentativas:

grep "authentication failure" /var/log/secure | awk '{print $14}' | sort | uniq -c

Lista com a quantidade de tentativas e IP's de origem:

439 many
1 rhost=
14 rhost=103.209.100.238
30 rhost=104.248.114.67
29 rhost=104.248.57.44
1 rhost=106.13.168.107
1 rhost=106.13.99.107
1 rhost=111.230.219.156
24 rhost=114.7.164.250
44 rhost=115.205.180.95
43 rhost=116.196.81.216
38 rhost=119.29.16.190
1 rhost=121.201.61.205
44 rhost=122.152.212.188
27 rhost=123.195.99.9
15 rhost=123.231.160.98
25 rhost=124.137.205.59
1 rhost=128.199.170.33
1 rhost=129.152.141.71
1 rhost=13.74.46.65
1 rhost=14.140.95.157
1 rhost=154.85.54.193
9 rhost=156.54.122.60
1 rhost=156.54.170.112
17 rhost=164.132.225.151
1 rhost=164.160.33.164
1 rhost=164.90.155.117
1 rhost=181.48.155.149
45 rhost=181.49.107.180
1 rhost=18.224.96.254
1 rhost=183.237.175.97
33 rhost=183.250.216.67
1 rhost=188.166.9.210
14 rhost=192.241.228.251
1 rhost=195.161.162.46
1 rhost=196.43.165.48
1 rhost=197.156.65.138
22 rhost=201.16.246.71
1 rhost=201.17.130.156
6 rhost=202.62.120.5
1 rhost=202.77.105.110
18 rhost=213.135.67.42
1 rhost=3.112.123.55
1 rhost=36.81.203.211
33 rhost=37.252.188.130
16 rhost=46.101.175.35
1 rhost=51.210.183.93
16 rhost=51.210.96.169
1 rhost=51.38.189.160
16 rhost=51.68.123.198
17 rhost=51.91.100.120
40 rhost=65.97.0.208
18 rhost=68.183.178.162
1 rhost=72.129.166.218
1 rhost=80.211.38.185
17 rhost=80.91.162.206
1 rhost=91.134.240.130
1 rhost=91.225.77.52
9 rhost=95.167.225.85

Usando o GeoIP para descobrir o pais de origem

for XX in `grep "authentication failure" /var/log/secure | awk '{print $14}' | sort | uniq | cut -d "=" -f 2`; do echo $XX; geoiplookup $XX ;done

Resultado informando dados de localização do IP

...

111.230.219.156
GeoIP Country Edition: CN, China
GeoIP City Edition, Rev 1: CN, 22, Beijing, Beijing, N/A, 39.928902, 116.388298, 0, 0
GeoIP ASNum Edition: AS45090 Shenzhen Tencent Computer Systems Company Limited
114.7.164.250
GeoIP Country Edition: ID, Indonesia
GeoIP City Edition, Rev 1: ID, 04, Jakarta Raya, Jakarta, N/A, -6.174400, 106.829399, 0, 0
GeoIP ASNum Edition: AS4761 INDOSAT Internet Network Provider
115.205.180.95
GeoIP Country Edition: CN, China
GeoIP City Edition, Rev 1: CN, 02, Zhejiang, Hangzhou, N/A, 30.293600, 120.161400, 0, 0
GeoIP ASNum Edition: AS4134 No.31,Jin-rong Street
116.196.81.216
GeoIP Country Edition: CN, China
GeoIP City Edition, Rev 1: CN, 22, Beijing, Beijing, N/A, 39.928902, 116.388298, 0, 0
GeoIP ASNum Edition: AS4808 China Unicom Beijing Province Network
119.29.16.190
GeoIP Country Edition: CN, China
GeoIP City Edition, Rev 1: CN, 22, Beijing, Beijing, N/A, 39.928902, 116.388298, 0, 0
GeoIP ASNum Edition: AS45090 Shenzhen Tencent Computer Systems Company Limited
121.201.61.205
GeoIP Country Edition: CN, China
GeoIP City Edition, Rev 1: CN, 30, Guangdong, Guangzhou, N/A, 23.116699, 113.250000, 0, 0
GeoIP ASNum Edition: AS58543 Guangdong
122.152.212.188
GeoIP Country Edition: CN, China
GeoIP City Edition, Rev 1: CN, 22, Beijing, Beijing, N/A, 39.928902, 116.388298, 0, 0
GeoIP ASNum Edition: AS45090 Shenzhen Tencent Computer Systems Company Limited
123.195.99.9
GeoIP Country Edition: TW, Taiwan
GeoIP City Edition, Rev 1: TW, 05, N/A, Changhua, N/A, 24.073999, 120.538399, 0, 0
GeoIP ASNum Edition: AS38841 kbro CO. Ltd.
123.231.160.98
GeoIP Country Edition: ID, Indonesia
GeoIP City Edition, Rev 1: ID, 04, Jakarta Raya, Jakarta, N/A, -6.174400, 106.829399, 0, 0
GeoIP ASNum Edition: IP Address not found
124.137.205.59
GeoIP Country Edition: KR, Korea, Republic of
GeoIP City Edition, Rev 1: KR, N/A, N/A, N/A, N/A, 37.511200, 126.974098, 0, 0
GeoIP ASNum Edition: AS38666 Actelecom

...

Fonte: https://dev.maxmind.com/geoip/geoipupdate/#Troubleshooting em 14-set-2020

Automatic Updates for GeoIP2 and GeoIP Legacy Databases

This page provides two methods for automatically updating GeoIP2 and GeoIP Legacy binary databases.

Using GeoIP Update

MaxMind provides the GeoIP Update program, which performs automatic updates for both GeoIP2 and GeoIP Legacy binary databases. Please follow the instructions below.

Step 1 – Install GeoIP Update

Install GeoIP Update. The latest release may be downloaded from GitHub Releases. See here for installation instructions. It can also be installed via our Docker image.

If you are using an older version of GeoIP Update, you may need to upgrade to GeoIP Update 4.x or later version. The 4.x and later versions meet our requirement for using TLS 1.2 or greater for all requests to our servers to keep your data secure.

Please see our upgrade guide for more information on upgrading from an older version of GeoIP Update.

Step 2 – Obtain GeoIP.conf with Account Information

For Paid GeoIP2 and GeoIP Legacy Databases

Get a partially pre-filled configuration file (may require authentication) and save it in your configuration directory (e.g., /usr/local/etc/) as GeoIP.conf. You will need to replace the YOUR_LICENSE_KEY_HERE placeholder with an active license key associated with your MaxMind account. You can see your license key information on your account License Keys page.

You may also write this file by hand using the template below (not recommended).

# GeoIP.conf file - used by geoipupdate program to update databases
# from http://www.maxmind.com
AccountID YOUR_ACCOUNT_ID_HERE
LicenseKey YOUR_LICENSE_KEY_HERE
EditionIDs YOUR_EDITION_IDS_HERE

Note that for geoipupdate versions less than 2.5.0, use UserId instead of AccountID and ProductIds instead of EditionIDs.

Step 3 – Run GeoIP Update

Run geoipupdate. To fully automate this process on Linux or Unix, use a crontab file like:

# top of crontab
MAILTO=your@email.com

50 9 * * 4 /usr/local/bin/geoipupdate
# end of crontab

This crontab file would run every week, and it would email you the results.

If you are running a firewall, geoipupdate requires that the DNS and HTTPS (443) ports be open.

Troubleshooting

If you receive an error when running GeoIP Update, you can use the verbose option by adding the -v flag. This will print out each step taken as it runs. The information provided can often help to clarify issues. Additional instructions for GeoIP Update can be viewed when running man geoipupdate on the command line.

Please note that GeoIP Update requires current access to database updates to run properly. If your subscription needs to be renewed, updates can be purchased while logged into your Account Summary page.

Updating to the latest release of GeoIP Update may be required to resolve some errors.

Direct Downloads

If your system is unable to use GeoIP Update or if you are using the CSV-format databases, see our GeoIP Direct Downloads page.

Download Limits

MaxMind reserves the right to limit the number of downloads made within a limited period of time.

New license key successfully created

Your new license key License Key #1 has been created.

It may take up to five minutes for this new key to be activated.

This will be the only time this key is displayed to you in full. Please copy the key to a safe location for your future reference.

Account/User ID
License key

For Usage with GeoIP Update

This MaxMind license key is not stored in hashed format and is less secure. Please upgrade to a version of GeoIP Update 3.1.1 or above.

We've generated a config file for you to use with GeoIP Update. See the Automatic Updates for GeoIP2 and GeoIP Legacy Databases page to learn how to use this config file to set up automatic updates.

Download config

# GeoIP.conf file for `geoipupdate` program, for versions < 3.1.1.
# Used to update GeoIP databases from https://www.maxmind.com.
# For more information about this config file, visit the docs at
# https://dev.maxmind.com/geoip/geoipupdate/.

# `UserId` is from your MaxMind account.
UserId 401397

# `LicenseKey` is from your MaxMind account
LicenseKey FNDQtCEP0ABx

# `ProductIds` is from your MaxMind account.
ProductIds GeoLite2-ASN GeoLite2-City GeoLite2-Country

Nordico Club

Aproveite e siga o canal, acompanhe as redes sociais, e fique informado das novidades


Contato: