Sometimes back I had setup ssh on raspberry pi and allowed to login from internet, obviously using the public key encyption.
After few days I noticed that lot of people/systems were trying to login and failing from various different IPs.
So I block them using Fail2ban. I am Not gonna talk about Fail2ban, as its completely vast topic on its own.
Fail2ban : It provides a way to automatically protect virtual servers from malicious behavior.
The program works by scanning through log files and reacting to offending actions such as repeated failed login attempts.
Once blocked I wanted to see from where I was getting attacked the most. So I plotted them on map using some free apis.
Here is my fail2ban config for creating a file of all blocked IP addresses.
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/ip.blacklist.persistban.<name> | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
echo <ip> >> /etc/fail2ban/ip.blacklist.persistban.<name>
echo <ip> >> /pathToMysite/blocked_ipaddresses.txt
I used ipmapper which uses google maps api for geocoding.