Sunday, August 31, 2008

Hack attempts by country

I use denyhosts to block addresses that runs dictionary attacks on my SSH server.

GeoIP and python can be used to lookup country of origin of these addresses, and simple shell commands to generate a list of most common countries.

$ cat geoip.py
import GeoIP, sys
gi = GeoIP.new(GeoIP.GEOIP_MEMORY_CACHE)
for addr in sys.stdin.readlines(): print gi.country_name_by_addr(addr.strip())


$ grep ssh hosts.deny |cut -d " " -f 2 |python geoip.py |sort |uniq -c |sort -nr |head
34 China
17 None
17 Korea, Republic of
11 United States
5 United Kingdom
5 Italy
5 Brazil
4 Thailand
4 Japan
4 Germany


China wins. But please note that there's 17 addresses that couldn't be resolved so the margin of error is pretty large.

No comments: