Arcan's blog of 💭

IPAbuseDB Reporting

Yay, my first actual blog post, starting something is always an exciting and daunting task to keep up with. And I’m happy to post here, and for you! For somehow tracking down this blog and ending up right here, reading this text on your screen. Keep in mind that I’m not a professional blogger, but nevertheless, I hope you enjoy this blog and the many blog posts soon to come. (soon™️)

How IP addresses are used on the internet has always been a fascination for me, out of anything really it's weird. How can a single IP be tracked down to a single place, in the whole world! A string of numbers, magic. Well, that's a topic for another day, fascinating really. Now, actually what you actually probably clicked for. I've gotten into reporting ip-addresses on, basically having a couple servers around the globe acting as a honeypot for hackers, or moreso, skript kiddies to attack. I’ve been using a little tool called endlessh that endlessly sends a random ssh banner to the attacker. This has been fun to see the number of ips attacking a system.

If you have a server that is open to the internet and ssh open, I ask you to check the logs of your ssh service and see all the failed attempts, you’ll see hundreds, maybe even thousands of attempts (If you’ve had your server for a long time) trying to get into your box.

On the outside of the server, it doesn't seem like a honeypot, because you cant! Unless you inspect the ssh connection verbosely, then you just get back random ssh banner strings, then you’ll actually maybe detect something is up. What this does is that this essentially wastes scammer's time and keeps their ssh connection active and does nothing, basically just saying “Oh wait, I’ve got something- hold on, still wait please… and keep waiting… oh no please wa-“. Doing my deed in preventing cybercrime, I deserve a sticker.

All my reporting is done using a simple shell script that auto reports if a login attempt is done more than once, grabs the logs from endlessh, bundles it all into a request, then posts it to the abuseipdb API.

Check out in real time on my servers reporting ssh attackers! You will never know out of 4,294,967,296 ip addresses which are mine :) Heck! Why not try them all? If you’ve got the power and the network capacity, why not? (For legal reasons I’m not promoting cybercrime)

#technology #tech #it