Select language:
en-USde-CHnl-NL

IP Security

We are committed to maintaining the integrity of our network by reporting on any cyber-attacks that are directed towards our servers. We firmly believe in the importance of monitoring and reporting IP attacks. To this end, we have implemented a range of measures, including the detection of such attacks, the banning of IPs, and the reporting of these incidents to multiple locations. In addition, we establish contact with the published abuse contacts of the attacker's IP addresses.

Current situation

The present state has been determined to be in a “CRITICAL” state by the IT department and its monitoring tools.

Charts

choose resolution: raw, day
choose item count: 10, 20, 30

Banned IP addresses over time

If you see this, your browser doesn't support the necessary javascript. Try the static version of this page.

Banned IP's per hour + attacks per hour

If you see this, your browser doesn't support the necessary javascript. Try the static version of this page.

Countries with the most banned IP's

If you see this, your browser doesn't support the necessary javascript. Try the static version of this page.

IP-networks/organizations with the most banned IP's

If you see this, your browser doesn't support the necessary javascript. Try the static version of this page.

Blocked IP's per country over time

If you see this, your browser doesn't support the necessary javascript. Try the static version of this page.

Blocked IP's per network/organization over time

If you see this, your browser doesn't support the necessary javascript. Try the static version of this page.

Where the data comes from

Fail2Ban

We use a service named Fail2Ban.

Fail2Ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper.

https://en.wikipedia.org/wiki/Fail2ban

Functionality

Fail2ban operates by monitoring log files (e.g. /var/log/auth.log, /var/log/apache/access.log, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system's security. It can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator. It includes support for both IPv4 and IPv6. Optionally longer bans can be custom-configured for “recidivist” abusers that keep coming back. Fail2Ban is typically set up to unban a blocked host within a certain period, so as to not “lock out” any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being flooded by malicious connections, as well as reducing the likelihood of a successful dictionary attack.

https://en.wikipedia.org/wiki/Fail2ban

Statistics

Every 15 minutes a script on our servers records the current state (including all banned IP's) of the Fail2Ban-Service. This information is stored in a database.

GeoIP®

To determine the geolocation of an attacking IP Address, we use a service called GeoIP®. The data is provided by a company called MaxMind, Inc. We regularly update our local GeoIP® databases with the current data provided by MaxMind.

Whois

To include a network or organization name in our statistics, we use the global whois directory service. If an IP has been banned, we will perform a query for the associated domain name (resolved via DNS) for the IP address, if there's no result we query the IP address itself. The result is then parsed and the organization name is extracted, if there's no organization we use the name of the IP network. The data is cached for a week, so we don't make unnecessary queries.

Abusix Abuse Contact DB

Since we send abuse reports by email to the responsible bodies we need an email address for it. We get this by using the “Abuse Contact DB” which is operated by a company named Abusix, Inc. This step can be done by Fail2Ban itself and the data is provided via a DNS lookup.

Where we report data to

We only report about serious abuse attempts, such as repeated attacks from an IP address, even after the IP already has been banned for a short period of time.

E-Mail

After the data has been verified by an IT technician, we send a message about the incident to the email address specified by abusix. It is in XARF format and also contains precise log data with the exact times of the attacks.

XARF - eXtended Abuse Reporting Format

XARF is a JSON-based format for reporting abuse, fraud, virus or other issues with email messages. It was defined by abusix.

www.blocklist.de

www.blocklist.de is a free and voluntary service provided by a Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, FTP-, Webserver- and other services.
The mission is to report any and all attacks to the respective abuse departments of the infected PCs/servers, to ensure that the responsible provider can inform their customer about the infection and disable the attacker.

https://www.blocklist.de/en/index.html

attacks reported: 2,262 - reports generated: 336

In addition, www.blocklist.de offers DNS blocklists, which can be used to block known attackers, before they actually attack. We are in the process of implementing these services, which could significantly reduce the amount of attacks on our servers.

abuseIPDB

AbuseIPDB Contributor Badge

Similar to www.blocklist.de abuseIPDB LLC provides a service that enables users to report attacks and offers a comprehensive API for looking up IP addresses to determine if they belong to attackers.

Links

Commentaries

+Create comment
No commentaries on this page yet.
Be first and create a comment
0 commentaries awaiting approval
Copyright © 1999-2025 swabian.net home contact data protection legal information