[knyt]

Unrelated to this disclosure, I have acquired quite a lot of Fail2Ban attack reports generated by hosts around the world. I put together an initial set of charts showing attacks by country; I was wondering if anyone had any ideas for interesting things that should be done to analyze/visualize the data.

The data set contains the IP addresses for attacker and victim, the date, and the service name for each of a couple million attack reports.

edit: https://int80k.com/ftb/

[gioele]

Have you seen https://www.dshield.org/ by SANS ISC?

«DShield is a community-based collaborative firewall log correlation system. It receives logs from volunteers world wide and uses them to analyze attack trends.»

[thaumaturgy]

I wouldn't mind seeing that; your data eclipses mine by about a lot.

Plotting your data on a world map would be kinda neat. D3.js is a good tool for that. Animate it over time for even more bonus points. :-)

Or, scrub your information from the data and post it for others to mess with.

I have several thousand entries for ssh, ssh-root, and spam abuse in my badhosts table.

[knyt]

I think that change over time could be pretty cool, especially if the host locations can be resolved down to the city or province. I'll check out D3.js.

I did a first take using Kartograph: https://int80k.com/ftb/

[thaumaturgy]

Nice.

And I see now why you're not wanting to release the data: I thought this was data on your network. Good job grabbing that email address.

[nick_riviera]

+1 for this. Grouping by ASN and netblock owner would be nice as well. I'm happy to shoot down entire ISPs.

[knyt]

Do you know where maps between IP addresses and ASNs/netblocks might be available for download? I can't immediately find this on IANA's website or on those of the RIRs, and I think it'd be too much to grab from whois.

[thaumaturgy]

Arin will allow you to download portions of their database for research purposes, but it requires an account and it looks like there's an approval process.

You wouldn't have to query every IP, you'd just have to query IPs not covered by a result range from a previous lookup.

I'd be willing to help on this; I have a whois module I wrote for another spam tool, I should be able to pretty easily adapt it for this.

[alepper]

http://www.routeviews.org provides access to live and snapshot BGP data.

[castorio]

similar approach: https://8ack.de/honeypot/

check the Country-Page

[ForHackernews]

How do you own mail.com?

[pivo]

He doesn't, he just created the "fail2ban@mail.com" email account there. So all those fail2ban installations with the default configuration send email to him.

Pretty funny, and clever too.

[nl]

Which is why configuration files should use the null-routed example.com domain.