Using fail2ban and the see what countries are trying a little to much to connect to my server. #Fail2ban #infosec #CyberSec #linux #awk #sed @ubuntu #linux4hackers

Hi!

Goal for today is to get a list of what countries is trying to much to connect to my server using fail2ban.

I know this is not a good thing to have port 22 open on internet, but sometimes you need that to prove a point.

  1. Install fail2ban
  2. Install geoip-bin
  3. Open port 22 on your server and have that accessible on the internet
  4. Do some commands to get a list.

We start to install fail2ban and geoip-bin

apt-get install fail2ban geoip-bin

Then we use this one-liner to get the list

cat /var/log/fail2ban.log | grep Ban | awk '{print $8}' | xargs -n 1 geoiplookup { }

First part of this command list the content of the logfiles (cat /var/log/fail2ban.log)
Second part is looking for banned ip in the log file (grep Ban)
Third part only list the column that we want (awk ‘{print $8}’)
Forth part is parsing the result to geoiplookup command (xargs -n 1 geoiplookup { })

You get a result like this:

If we want only countries and remove duplicates we can use this one-liner. We add sort and uniq

cat /var/log/fail2ban.log | grep Ban | awk '{print $8}' | xargs -n 1 geoiplookup { } | sort | uniq

This was a short one, but as you all know. Size doesn’t matter!

Keep hacking!

//Roger

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.