Quels sont les pays des IP de mon fichier /etc/iptables/rules.v4 ?

25 x served & 5 x viewed

La réponse :

# cat /etc/iptables/rules.v4 | grep "DROP" | awk '{print $4}' | sed 's/\// /g' | awk '{print $1}' | xargs -n 1 geoiplookup { } | sort | uniq -c | sort -n | sed -r 's/ GeoIP Country Edition://g'
      1 AL, Albania
      1 AT, Austria
      1 CZ, Czech Republic
      1 GR, Greece
      1 IE, Ireland
      1 JP, Japan
      1 PH, Philippines
      1 TT, Trinidad and Tobago
      1 UG, Uganda
      2 ID, Indonesia
      2 IR, Iran, Islamic Republic of
      2 IT, Italy
      2 MX, Mexico
      2 MY, Malaysia
      2 SG, Singapore
      2 TR, Turkey
      2 TW, Taiwan
      3 BR, Brazil
      3 SC, Seychelles
      3 VN, Vietnam
      4 DE, Germany
      4 EG, Egypt
      4 GB, United Kingdom
      5 FR, France
      5 KR, Korea, Republic of
      6 CA, Canada
      6 RU, Russian Federation
      7 NL, Netherlands
     11 IN, India
     15 IP Address not found
     38 CN, China
     90 US, United States

Mon OS :

# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

 

Liste des IP filtrées sur mes serveurs

9 x served & 3 x viewed

Voici mon iptable ( à noter que stretchoid.com est très actif ) :

/usr/sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  112.126.90.41        anywhere            
DROP       all  --  116.147.2.110        anywhere            
DROP       all  --  122.14.209.13        anywhere            
DROP       all  --  ip199.ip-158-69-13.net  anywhere            
DROP       all  --  193.112.88.67        anywhere            
DROP       all  --  sym.gdsz.cncnet.net  anywhere            
DROP       all  --  223.75.249.2         anywhere            
DROP       all  --  27.50.160.35         anywhere            
DROP       all  --  49.233.63.234        anywhere            
DROP       all  --  91.242.37.16         anywhere            
DROP       all  --  103.87.167.253       anywhere            
DROP       all  --  static.vnpt.vn       anywhere            
DROP       all  --  83-235-201-123.static.youbroadband.in  anywhere            
DROP       all  --  host-156.221.68.147-static.tedata.net  anywhere            
DROP       all  --  dynamic-adsl.viettel.vn  anywhere            
DROP       all  --  176.240.226.165      anywhere            
DROP       all  --  202.90.133.210       anywhere            
DROP       all  --  afol-ipg-1-88.africaonline.co.ug  anywhere            
DROP       all  --  175.172.174.191      anywhere            
DROP       all  --  123.132.65.176       anywhere            
DROP       all  --  103.145.13.43        anywhere            
DROP       all  --  128.153.21.175.adsl-pool.jlccptt.net.cn  anywhere            
DROP       all  --  static.189.34.63.178.clients.your-server.de  anywhere            
DROP       all  --  scanner-06.ch1.censys-scanner.com  anywhere            
DROP       all  --  ec2-34-240-212-8.eu-west-1.compute.amazonaws.com  anywhere            
DROP       all  --  scanner-09.ch1.censys-scanner.com  anywhere            
DROP       all  --  scanner-05.ch1.censys-scanner.com  anywhere            
DROP       all  --  host-197.53.220.102.tedata.net  anywhere            
DROP       all  --  134.209.87.169       anywhere            
DROP       all  --  66.151.211.226       anywhere            
DROP       all  --  61.40.0.0/16         anywhere            
DROP       all  --  atlas.bullzibiz.net  anywhere            
DROP       all  --  cocospace.com        anywhere            
DROP       all  --  81.68.159.121        anywhere            
DROP       all  --  h178-129-246-3.dyn.bashtel.ru  anywhere            
DROP       all  --  46.209.56.107        anywhere            
DROP       all  --  host-156.197.223.215-static.tedata.net  anywhere            
DROP       all  --  host-156.216.199.50-static.tedata.net  anywhere            
DROP       all  --  192.241.224.104      anywhere            
DROP       all  --  192.241.206.242      anywhere            
DROP       all  --  22-193-245-216.static.reverse.lstn.net  anywhere            
DROP       all  --  36.27.208.157        anywhere            
DROP       all  --  81.68.106.157        anywhere            
DROP       all  --  mocci.yy0aepo3j015sju  anywhere            
DROP       all  --  135.ip-54-39-22.net  anywhere            
DROP       all  --  vmi365634.contaboserver.net  anywhere            
DROP       all  --  broadwicklive-com.nh-serv.co.uk  anywhere            
DROP       all  --  103.241.205.1        anywhere            
DROP       all  --  128.199.122.54       anywhere            
DROP       all  --  li849-223.members.linode.com  anywhere            
DROP       all  --  139.59.58.116        anywhere            
DROP       all  --  159.89.109.162       anywhere            
DROP       all  --  201.143.63.92.dsl.dyn.telnor.net  anywhere            
DROP       all  --  sentora2.destinysystems.my  anywhere            
DROP       all  --  206.189.93.93        anywhere            
DROP       all  --  211.43.12.188        anywhere            
DROP       all  --  123.172.67.122       anywhere            
DROP       all  --  ec2-3-8-12-221.eu-west-2.compute.amazonaws.com  anywhere            
DROP       all  --  ec2-34-237-4-205.compute-1.amazonaws.com  anywhere            
DROP       all  --  ec2-34-230-156-67.compute-1.amazonaws.com  anywhere            
DROP       all  --  ec2-3-142-196-207.us-east-2.compute.amazonaws.com  anywhere            
DROP       all  --  unn-185-246-209-147.datapacket.com  anywhere            
DROP       all  --  ec2-18-231-94-162.sa-east-1.compute.amazonaws.com  anywhere            
DROP       all  --  cloud.ssh.ma         anywhere            
DROP       all  --  139.224.198.47       anywhere            
DROP       all  --  ec2-13-232-100-135.ap-south-1.compute.amazonaws.com  anywhere            
DROP       all  --  125.64.94.221        anywhere            
DROP       all  --  121.5.250.245        anywhere            
DROP       all  --  114.70.235.43        anywhere            
DROP       all  --  101.255.122.146      anywhere            
DROP       all  --  5.188.210.227        anywhere            
DROP       all  --  37.49.229.222        anywhere            
DROP       all  --  ec2-34-237-4-205.compute-1.amazonaws.com  anywhere            
DROP       all  --  hostingmailto246.statics.servermail.org  anywhere            
DROP       all  --  165.227.84.219       anywhere            
DROP       all  --  165.22.232.189       anywhere            
DROP       all  --  5.8.10.202           anywhere            
DROP       all  --  5.188.210.227        anywhere            
DROP       all  --  222.77.181.28        anywhere            
DROP       all  --  125.64.94.221        anywhere            
DROP       all  --  fb.83.a86c.ip4.static.sl-reverse.com  anywhere            
DROP       all  --  189.86.143.79.mail.iranianwebman.ir  anywhere            
DROP       all  --  125.64.94.214        anywhere            
DROP       all  --  li1511-13.members.linode.com  anywhere            
DROP       all  --  45.146.164.125       anywhere            
DROP       all  --  45.146.164.131       anywhere            
DROP       all  --  45.155.205.109       anywhere            
DROP       all  --  45.155.205.181       anywhere            
DROP       all  --  45.155.205.196       anywhere            
DROP       all  --  123.58.4.233         anywhere            
DROP       all  --  45.15.18.3           anywhere            
DROP       all  --  49.143.32.6          anywhere            
DROP       all  --  unn-84-17-42-11.cdn77.com  anywhere            
DROP       all  --  101.0.54.165         anywhere            
DROP       all  --  113.220.18.13        anywhere            
DROP       all  --  151.106.8.41         anywhere            
DROP       all  --  hn.kd.ny.adsl        anywhere            
DROP       all  --  103.91.80.2          anywhere            
DROP       all  --  120.52.152.3         anywhere            
DROP       all  --  45.14.149.244        anywhere            
DROP       all  --  209.141.33.232       anywhere            
DROP       all  --  S0106d017c25a1f70.ed.shawcable.net  anywhere            
DROP       all  --  114-33-156-230.HINET-IP.hinet.net  anywhere            
DROP       all  --  59.63.206.200        anywhere            
DROP       all  --  59.97.193.131        anywhere            
DROP       all  --  117.241.51.177       anywhere            
DROP       all  --  119.123.236.177      anywhere            
DROP       all  --  27.5.37.175          anywhere            
DROP       all  --  27.45.11.127         anywhere            
DROP       all  --  61.242.40.137        anywhere            
DROP       all  --  hn.kd.ny.adsl        anywhere            
DROP       all  --  2.57.122.53          anywhere            
DROP       all  --  2.57.122.53          anywhere            
DROP       all  --  ec2-3-19-213-88.us-east-2.compute.amazonaws.com  anywhere            
DROP       all  --  20.199.123.240       anywhere            
DROP       all  --  20.68.241.118        anywhere            
DROP       all  --  23.101.199.109       anywhere            
DROP       all  --  64.212.202.35.bc.googleusercontent.com  anywhere            
DROP       all  --  40.121.11.29         anywhere            
DROP       all  --  40.87.87.96          anywhere            
DROP       all  --  40.89.150.92         anywhere            
DROP       all  --  45.77.214.38         anywhere            
DROP       all  --  51.141.166.84        anywhere            
DROP       all  --  ip28.ip-51-210-137.eu  anywhere            
DROP       all  --  52.149.128.42        anywhere            
DROP       all  --  52.175.210.216       anywhere            
DROP       all  --  52.249.196.150       anywhere            
DROP       all  --  mail.inforza.com.pe  anywhere            
DROP       all  --  152.217.154.104.bc.googleusercontent.com  anywhere            
DROP       all  --  4.135.198.104.bc.googleusercontent.com  anywhere            
DROP       all  --  108.59.10.20         anywhere            
DROP       all  --  115.78.14.240        anywhere            
DROP       all  --  118.101.194.141      anywhere            
DROP       all  --  tor-exit.csail.mit.edu  anywhere            
DROP       all  --  134.119.189.155      anywhere            
DROP       all  --  144.202.53.77.vultr.com  anywhere            
DROP       all  --  148.64.121.254       anywhere            
DROP       all  --  149.28.84.31.vultr.com  anywhere            
DROP       all  --  do-prod-eu-central-scanner-2604-13.do.binaryedge.ninja  anywhere            
DROP       all  --  215-128-93-172.reverse-dns  anywhere            
DROP       all  --  178.128.104.205      anywhere            
DROP       all  --  fixed-189-203-106-65.totalplay.net  anywhere            
DROP       all  --  190.83.155.186       anywhere            
DROP       all  --  li2196-53.members.linode.com  anywhere            
DROP       all  --  host-193.111.76.162.meric.net.tr  anywhere            
DROP       all  --  194.116.73.192       anywhere            
DROP       all  --  199-117-154-162.dia.static.qwest.net  anywhere            
DROP       all  --  210.66.16.184        anywhere            
DROP       all  --  246.7.154.212.dsl.static.turk.net  anywhere            
DROP       all  --  dojo.census.shodan.io  anywhere            
DROP       all  --  sky.census.shodan.io  anywhere            
DROP       all  --  125.64.94.138        anywhere            
DROP       all  --  wine.census.shodan.io  anywhere            
DROP       all  --  blue.census.shodan.io  anywhere            
DROP       all  --  blue2.census.shodan.io  anywhere            
DROP       all  --  23-95-132-55-host.colocrossing.com  anywhere            
DROP       all  --  23-95-191-212-host.colocrossing.com  anywhere            
DROP       all  --  27.40.100.96         anywhere            
DROP       all  --  hn.kd.ny.adsl        anywhere            
DROP       all  --  hn.kd.ny.adsl        anywhere            
DROP       all  --  120-54-229-45.redevirtualnet.com.br  anywhere            
DROP       all  --  59.99.47.115         anywhere            
DROP       all  --  hn.kd.ny.adsl        anywhere            
DROP       all  --  178.175.102.79       anywhere            
DROP       all  --  180.188.249.125      anywhere            
DROP       all  --  198-23-172-233-host.colocrossing.com  anywhere            
DROP       all  --  hn.kd.jz.adsl        anywhere            
DROP       all  --  222.97.172.100       anywhere            
DROP       all  --  45.146.165.123       anywhere            
DROP       all  --  45.146.165.123       anywhere            
DROP       all  --  189-72-251-188.bsace702.e.brasiltelecom.net.br  anywhere            
DROP       all  --  unspecified.mtw.ru   anywhere            
DROP       all  --  vmi629895.contaboserver.net  anywhere            
DROP       all  --  93.174.89.216        anywhere            
DROP       all  --  103.145.13.120       anywhere            
DROP       all  --  111.59.6.79          anywhere            
DROP       all  --  116.24.189.232       anywhere            
DROP       all  --  hn.kd.ny.adsl        anywhere            
DROP       all  --  hn.kd.ny.adsl        anywhere            
DROP       all  --  134.122.43.75        anywhere            
DROP       all  --  136.144.41.150       anywhere            
DROP       all  --  143.110.208.55       anywhere            
DROP       all  --  143.198.235.203      anywhere            
DROP       all  --  143.198.66.250       anywhere            
DROP       all  --  147.182.179.241      anywhere            
DROP       all  --  147.182.179.242      anywhere            
DROP       all  --  147.182.179.243      anywhere            
DROP       all  --  147.182.179.244      anywhere            
DROP       all  --  147.182.179.245      anywhere            
DROP       all  --  165.227.42.8         anywhere            
DROP       all  --  165.232.146.19       anywhere            
DROP       all  --  167.99.184.39        anywhere            
DROP       all  --  167.99.189.51        anywhere            
DROP       all  --  4LRAQ.TOP            anywhere            
DROP       all  --  ns1.hybriddns.com    anywhere            
DROP       all  --  elmo.postix.net      anywhere            
DROP       all  --  virtuallyhyper.com   anywhere            
DROP       all  --  209.141.54.8         anywhere            
DROP       all  --  ec2-13-52-99-132.us-west-1.compute.amazonaws.com  anywhere            
DROP       all  --  lstlambert-656-1-48-236.w92-154.abo.wanadoo.fr  anywhere            
DROP       all  --  zg-0706a-97.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-95.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-123.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-147.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-198.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-218.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-269.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-241.stretchoid.com  anywhere            
DROP       all  --  zg-0706b-47.stretchoid.com  anywhere            
DROP       all  --  zg-0706b-102.stretchoid.com  anywhere            
DROP       all  --  zg-0706b-196.stretchoid.com  anywhere            
DROP       all  --  zg-0706b-259.stretchoid.com  anywhere            
DROP       all  --  zg-0706b-265.stretchoid.com  anywhere            
DROP       all  --  192-227-134-73-host.colocrossing.com  anywhere            
DROP       all  --  45.146.164.110       anywhere            
DROP       all  --  zg-0706a-41.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-203.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-229.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-250.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-237.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-295.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-298.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-299.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-388.stretchoid.com  anywhere            
DROP       all  --  zg-0706b-111.stretchoid.com  anywhere            
DROP       all  --  zg-0706b-232.stretchoid.com  anywhere            
DROP       all  --  zg-0706b-385.stretchoid.com  anywhere            
DROP       all  --  zg-0706b-392.stretchoid.com  anywhere            
DROP       all  --  zg-0706a-366.stretchoid.com  anywhere     

Liste des IP qui essayent d’exploiter la faille microsoft.exchange.ediscovery.exporttool.application

7 x served & 0 x viewed

Un exemple de logs :

192.241.212.111 - - [29/Jul/2021:00:55:15 +0200] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1" 302 4949 "-" "Mozilla/5.0 zgrab/0.x"

Liste des ip :

# zgrep "/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application" /var/log/apache2/access.humhub.log.*gz | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq | awk '{print "/usr/sbin/iptables -A INPUT -s " $1 " -j DROP "}' 
/usr/sbin/iptables -A INPUT -s 192.241.197.168 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.208.45 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.209.206 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.210.112 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.210.26 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.211.59 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.211.81 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.211.83 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.212.191 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.219.62 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.221.181 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.223.182 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.223.191 -j DROP 

Le nombre d’IP que j’ai blacklisté :

# cat /etc/iptables/rules.v4 | grep "DROP" | wc -l
228

Liste des IP qui essayent d’exploiter la faille Outlook Web Access (OWA) : « /owa/auth/logon.aspx »

12 x served & 2 x viewed

Un exemple de logs :

192.241.211.240 - - [29/Jul/2021:11:51:11 +0200] "GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1" 302 4949 "-" "Mozilla/5.0 zgrab/0.x"

La liste des IP :

# zgrep "/owa/auth/logon.aspx" /var/log/apache2/access.humhub.log.*gz | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq | awk '{print "/usr/sbin/iptables -A INPUT -s " $1 " -j DROP "}'
/usr/sbin/iptables -A INPUT -s 13.52.99.132 -j DROP 
/usr/sbin/iptables -A INPUT -s 92.154.95.236 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.202.155 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.202.30 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.204.132 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.206.232 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.208.28 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.209.114 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.210.206 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.210.44 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.218.70 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.219.54 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.221.104 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.221.238 -j DROP 
/usr/sbin/iptables -A INPUT -s 192.241.221.249 -j DROP 

Maintenant je filtre 213 IP publiques :

# cat /etc/iptables/rules.v4 | grep "DROP" | wc -l
213