In Using Odroid as IP Router I wrote about using my Odroid as router and firewall. Additionally I inspect who tries to log-in to my machines using the lastb
command. Sample output is below:
$ lastb admin ssh:notty 202.166.220.10 Mon Oct 1 09:51 - 09:51 (00:00) admin ssh:notty 202.166.220.10 Mon Oct 1 09:50 - 09:50 (00:00) admin ssh:notty 14.162.42.98 Mon Oct 1 09:50 - 09:50 (00:00) admin ssh:notty 14.162.42.98 Mon Oct 1 09:50 - 09:50 (00:00) telecoma ssh:notty 197.46.98.211 Mon Oct 1 09:50 - 09:50 (00:00) telecoma ssh:notty 197.46.98.211 Mon Oct 1 09:50 - 09:50 (00:00) ubnt ssh:notty 2.235.144.121 Mon Oct 1 09:50 - 09:50 (00:00) ubnt ssh:notty 2.235.144.121 Mon Oct 1 09:50 - 09:50 (00:00) root ssh:notty 78.111.43.138 Mon Oct 1 09:50 - 09:50 (00:00) admin ssh:notty 96.89.181.5 Mon Oct 1 09:50 - 09:50 (00:00) admin ssh:notty 96.89.181.5 Mon Oct 1 09:50 - 09:50 (00:00) Admin ssh:notty 139.5.159.74 Mon Oct 1 09:50 - 09:50 (00:00) Admin ssh:notty 139.5.159.74 Mon Oct 1 09:50 - 09:50 (00:00) admin ssh:notty 183.89.73.176 Mon Oct 1 09:50 - 09:50 (00:00) user ssh:notty 115.178.98.57 Mon Oct 1 09:50 - 09:50 (00:00) user ssh:notty 115.178.98.57 Mon Oct 1 09:50 - 09:50 (00:00) auxiliar ssh:notty 118.221.123.81 Mon Oct 1 06:53 - 06:53 (00:00) auxiliar ssh:notty 118.221.123.81 Mon Oct 1 06:53 - 06:53 (00:00) debian ssh:notty 180.76.162.111 Mon Oct 1 02:39 - 02:39 (00:00) debian ssh:notty 180.76.162.111 Mon Oct 1 02:39 - 02:39 (00:00) admin ssh:notty 123.21.175.214 Mon Oct 1 02:24 - 02:24 (00:00) admin ssh:notty 123.21.175.214 Mon Oct 1 02:24 - 02:24 (00:00) admin ssh:notty 183.157.189.232 Mon Oct 1 02:24 - 02:24 (00:00) admin ssh:notty 183.157.189.232 Mon Oct 1 02:24 - 02:24 (00:00) admin ssh:notty 181.211.61.234 Mon Oct 1 02:23 - 02:23 (00:00) admin ssh:notty 181.211.61.234 Mon Oct 1 02:23 - 02:23 (00:00) user1 ssh:notty 186.149.47.141 Mon Oct 1 00:34 - 00:34 (00:00) user1 ssh:notty 186.149.47.141 Mon Oct 1 00:34 - 00:34 (00:00) support ssh:notty 42.61.24.202 Mon Oct 1 00:08 - 00:08 (00:00) support ssh:notty 42.61.24.202 Mon Oct 1 00:08 - 00:08 (00:00) support ssh:notty 42.61.24.202 Mon Oct 1 00:08 - 00:08 (00:00) support ssh:notty 42.61.24.202 Mon Oct 1 00:08 - 00:08 (00:00)
Furthermore I use Fail2ban. This way I gather a number of suspicious IP addresses which apparently do not have best intentions, so I better block them completely. Using
$ lastb > L $ perl -ne 'if (/\s+(\d{1,3}\.\d{1,3}\.\d{1,3})\.\d{1,3}\s+/) { printf("-A PREROUTING -s %s.0/24 -i ethusb0 -j DROP\n",$1); }' L
Below is my list of addresses which I block. This list is somewhat similar to the list of hosts given in Suppressing Advertisement on Web-Pages a.k.a. Ad-Blocking. Watch out if you use that many iptables rules that a low powered machine like a Raspberry Pi or Odroid will significantly diminish network performance.
Continue reading