When a IP address gets banned how can I check if the banned IP address is from China. If yes, then add it to the permanent ban list.
I have found this nice guide which write the banned IP to file.
Reason: I am getting a lot of brute force attacks from China daily, thankfully fail2ban is helping restrict this although they appear to be getting worse and they are just changing their IP Address.
Or even better would be if there was a maintained database of known hacker IP addresses.
Example 1
Hi,
The IP 60.169.78.77 has just been banned by Fail2Ban after
4 attempts against vsftpd.
Here are more information about 60.169.78.77:
% [whois.apnic.net node-7]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 60.166.0.0 - 60.175.255.255
netname: CHINANET-AH
descr: CHINANET anhui province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: JW89-AP
mnt-by: APNIC-HM
mnt-routes: MAINT-CHINANET-AH
mnt-lower: MAINT-CHINANET-AH
status: ALLOCATED PORTABLE
changed: [email protected] 20040721
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: [email protected]
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: [email protected] 20070416
mnt-by: MAINT-CHINANET
source: APNIC
person: Jinneng Wang
address: 17/F, Postal Building No.120 Changjiang
address: Middle Road, Hefei, Anhui, China
country: CN
phone: +86-551-2659073
fax-no: +86-551-2659287
e-mail: [email protected]
nic-hdl: JW89-AP
mnt-by: MAINT-NEW
changed: [email protected] 19990818
source: APNIC
Regards,
Fail2Ban
Example 2
Hi,
The IP 60.169.78.81 has just been banned by Fail2Ban after
4 attempts against vsftpd.
Here are more information about 60.169.78.81:
% [whois.apnic.net node-6]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 60.166.0.0 - 60.175.255.255
netname: CHINANET-AH
descr: CHINANET anhui province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: JW89-AP
mnt-by: APNIC-HM
mnt-routes: MAINT-CHINANET-AH
mnt-lower: MAINT-CHINANET-AH
status: ALLOCATED PORTABLE
changed: [email protected] 20040721
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: [email protected]
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: [email protected] 20070416
mnt-by: MAINT-CHINANET
source: APNIC
person: Jinneng Wang
address: 17/F, Postal Building No.120 Changjiang
address: Middle Road, Hefei, Anhui, China
country: CN
phone: +86-551-2659073
fax-no: +86-551-2659287
e-mail: [email protected]
nic-hdl: JW89-AP
mnt-by: MAINT-NEW
changed: [email protected] 19990818
source: APNIC
Regards,
Fail2Ban
Example 3
Hi,
The IP 222.133.244.99 has just been banned by Fail2Ban after
4 attempts against vsftpd.
Here are more information about 222.133.244.99:
% [whois.apnic.net node-6]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 222.133.244.96 - 222.133.244.127
netname: LCZFFHQ
country: CN
descr: liaochenggovermentfanghuoqiang
admin-c: DS95-AP
tech-c: DS95-AP
status: ASSIGNED NON-PORTABLE
changed: [email protected] 20060122
mnt-by: MAINT-CNCGROUP-SD
source: APNIC
route: 222.132.0.0/14
descr: CNC Group CHINA169 Shandong Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: [email protected] 20060118
source: APNIC
person: Data Communication Bureau Shandong
nic-hdl: DS95-AP
e-mail: [email protected]
address: No.77 Jingsan Road,Jinan,Shandong,P.R.China
phone: +86-531-6052611
fax-no: +86-531-6052414
country: CN
changed: [email protected] 20050330
mnt-by: MAINT-CNCGROUP-SD
source: APNIC
Regards,
Fail2Ban
Instead of using Whois for this I would recommend to use an available GeoIP database like http://www.maxmind.com/download/geoip/database/
Most programming languages (like PHP, Python, Perl, ...) have bindings to parse those formats easily.
A "hacker IP" database wouldn't really make any sense anymore today, especially due to: