[TUTORIAL] Quick analysis of IPs blocked for brute-force attempts on a newly configured server

Support and Discussion General Discussion
,
1

Since last night (UTC +2), I configured a new server with all my protections in place (see here for details on the protections used), and I’ve already had around 120 IP addresses blocked by Fail2Ban. Based on a quick analysis of the blocked IPs, most attempts appear to come from providers like Alibaba and DigitalOcean, and from countries such as Singapore, the United States, Hong Kong, and China, among others.

That said, these countries are the most frequent but not the only ones; other regions and providers are also represented. This analysis is based only on IPs blocked since last night, so it should be taken with caution. I recommend others do their own analysis. However, my previous observations on hundreds of blocked IPs over the past few months show similar trends, with the same countries and providers frequently appearing.

Complete ISP Distribution by Percentage
Complete ISP Distribution by Percentage1920×1210 143 KB

2

Following my previous analysis, here is a visualization of the top 10 Internet Service Providers (ISPs) associated with suspicious connection attempts, blocked by Fail2Ban on another server, this time hosting a web application and also using CyberPanel. These data have been collected since October 27, 2024, and represent approximately 200 IPs blocked for unauthorized access attempts, primarily brute-force attacks on SSH.

ISP Distribution

As shown in the chart, most blocked attempts come from two main providers:

DigitalOcean-ASN and Alibaba US Technology Co., Ltd. together account for over half of the blocked attempts.

• Other providers like Tencent Building, OVH SAS, and Chinanet also frequently appear in these connection attempts.

This distribution highlights a trend where certain ISPs are more represented in unauthorized access attempts on this type of server.

Top 10 ISP Distribution
Top 10 ISP Distribution2152×1014 165 KB

3

Tutorial: Setting Up Fail2Ban for Permanent Bans and Bulk IP Analysis

Fail2Ban is an essential tool to protect your server against brute-force attacks, especially for services like SSH and CyberPanel. This tutorial will guide you through installation, setting up permanent bans, and analyzing blocked IPs using free tools.

Step 1: Install Fail2Ban

To install Fail2Ban, run the following command:

sudo apt install fail2ban -y

Step 2: Enable Fail2Ban to Start on Boot

To ensure that Fail2Ban starts automatically after each server reboot, run:

sudo systemctl enable fail2ban

Step 3: Start Fail2Ban

Once installed, start Fail2Ban to begin protecting your server immediately:

sudo systemctl start fail2ban

Step 4: Configure Fail2Ban for Permanent Bans

Before modifying the configuration, it’s recommended to create a backup of the jail.conf file. This allows you to adjust settings in a dedicated file without altering the defaults.

Copy jail.conf and open it for editing:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

In this file, you can activate and configure Fail2Ban for SSH or other services like CyberPanel. Here’s a basic configuration for SSH with a permanent ban:

[sshd]
enabled = true
port    = ssh
filter  = sshd
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
findtime = 5m        # Time window for counting failed attempts
bantime  = -1        # Permanent ban for blocked IPs

This setup will permanently ban an IP after 3 failed attempts within a 5-minute period.

Step 5: Restart Fail2Ban to Apply Changes

After modifying and saving the configuration, restart Fail2Ban to apply the new rules:

sudo systemctl restart fail2ban

Step 6: Check Fail2Ban Status and Blocked IPs

To ensure that Fail2Ban is running and protecting your server, check its status with the following command:

sudo systemctl status fail2ban

To see the list of IPs currently blocked by Fail2Ban for SSH, use:

sudo fail2ban-client status sshd

Step 7: View Ban Logs

If you want to view detailed logs of bans in Fail2Ban, use the following command to display only ban entries:

cat /var/log/fail2ban.log | grep "Ban"

Step 8: Export and Analyze Blocked IPs in Bulk

Once you have accumulated a significant number of blocked IPs, you can export them for bulk analysis. Here are recommended free tools for analyzing multiple IPs at once:

  1. InfoByIP - infobyip.com
    InfoByIP allows bulk IP analysis for location, ISP, and reputation information. This tool is convenient for quickly retrieving details on multiple blocked IPs.

  2. AbuseIPDB - abuseipdb.com
    Allows you to check abuse reports for each IP. Useful for identifying IPs with known malicious activities. You can analyze IPs in bulk with a free account.

  3. ipinfo - ipinfo.io
    Provides details on IP location and ISP. Their API can process multiple IPs, but some advanced features may require a free account.

  4. MaxMind GeoLite2 - maxmind.com
    An open-source solution for IP geolocation. You can download their GeoLite2 database and perform local analyses.

Step 9: Visualize IPs on a Map with BatchGeo

To get a better understanding of the geographical locations of the blocked IPs, you can visualize the data on a map using BatchGeo. Go to BatchGeo, copy-paste your list of blocked IPs with their coordinates, and generate a map. This free tool is easy to use and provides a clear visual overview of the sources of connection attempts.

Step 10: Use the Results to Improve Security

After analyzing and visualizing the IPs, you can better understand the geographical origins and ISPs associated with connection attempts. This allows you to adjust your configuration, for example, by blocking certain countries or monitoring specific providers more closely.

3 Likes
4

I encourage you, once you’ve gathered the blocked IPs, to categorize them by their respective providers and consider reporting them to those providers.