Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE]: ASN/Country based ban using IPinfo's free IP to Country ASN MMDB database #3687

Open
abdullahdevrel opened this issue Mar 2, 2024 · 0 comments
Open

[RFE]: ASN/Country based ban using IPinfo's free IP to Country ASN MMDB database #3687

abdullahdevrel opened this issue Mar 2, 2024 · 0 comments
Labels
enhancement

Comments

@abdullahdevrel
Copy link

Feature request type

I work for IPinfo but I have fail2ban installed in all my servers.

The existing implementation of ASN/Country bans seems a bit confusing to me, and the per IP lookup mechanism could be slow for large scale attacks. I would like to suggest incorporating the IPinfo IP to Country ASN database into Fail2Ban as a native download. The IPinfo IP to Country ASN database provides a static/locally downloaded MMDB database that can be extremely fast to query and provide country and ASN-based metrics in the same response, which is quite effective in deterring SSH access attacks.

Description

Consider my ban list. I am using IPinfo's CLI to run summarize IP metadata of IP addresses and bulk IP geolocation/asn enrichment. I am using JQ to wrangle my JSON responses.

ASNs: The following query summarizes my banned IP log and prints out the top 5 ASNs of the banned IP addresses.

cat /var/log/fail2ban.log | grep Ban | ipinfo grepip -o | ipinfo summarize -j | jq -r .asns
{
  "AS132203 Tencent Building, Kejizhongyi Avenue": 24,
  "AS14061 DigitalOcean, LLC": 13,
  "AS4134 CHINANET-BACKBONE": 6,
  "AS45090 Shenzhen Tencent Computer Systems Company Limited": 17,
  "AS4766 Korea Telecom": 4
}

Countries: The following query summarizes my banned IP log and prints out the top 5 countries of the banned IP addresses.

cat /var/log/fail2ban.log | grep Ban | ipinfo grepip -o | ipinfo summarize -j | jq -r .countries
{
  "CN": 35,
  "JP": 7,
  "KR": 8,
  "SG": 15,
  "US": 10
}

As in many cases, CN is a location of origin for many banned IPs. However, we find a more interesting pattern upon closer inspection of the ASN data. Even though CN as the IP location metadata is associated with 35 IP addresses, the AS organization, AS132203 Tencent Building, Kejizhongyi Avenue represents 24 IP addresses. But let's see where the IP location of this AS organization belongs to:

cat /var/log/fail2ban.log | grep Ban | ipinfo grepip -o ipinfo | jq -r 'to_entries[] | select(.value.org == "AS132203 Tencent Building, Kejizhongyi Avenue") | .value.ip' | ipinfo summarize -j | jq .countries
{
  "DE": 3,
  "HK": 1,
  "JP": 6,
  "KR": 2,
  "SG": 11
}

As you can see, none of the 5 countries in this particular ASN are in CN. Therefore, using an IP geolocation-based IP filter only scratches the surface when it comes to protecting your servers. In fact, if you look up this AS organization, you can find that this organization, in particular, was associated with uploading malicious packages on PyPI back in 2021.

That is why I would highly recommend incorporating (as a database download) or facilitating a bring our own MMDB database for the IP to Country ASN database.

Why the IPinfo IP to Country ASN database:

  • Full accuracy with daily updates. No compromise with accuracy
  • Contains both IPv4 and IPv6 data in the same database
  • The database is flat and has a tabular structure, with no missing variables or nested structures
  • Comes in MMDB format, which is the widely used format for efficient IP lookup mechanism
  • Contains both country and ASN information in the same database
  • Licensed under CC-BY-SA 4.0, which permits commercial usage via attribution

Documentation: https://ipinfo.io/developers/ip-to-country-asn-database

FIELD NAME EXAMPLE DATA TYPE DESCRIPTION
start_ip 1.0.16.0 TEXT Starting IP address of an IP address range
end_ip 1.0.31.255 TEXT Ending IP address of an IP address range
country JP TEXT ISO 3166 country code of the location
country_name Japan TEXT Name of the country
continent AS TEXT Continent code of the country
continent_name Asia TEXT Name of the continent
asn AS2519 TEXT Autonomous System Number
as_name ARTERIA Networks Corporation TEXT Name of the AS (Autonomous System) organization
as_domain arteria-net.com TEXT Official domain or website of the AS organization

To use the MMDB database, you must use any MMDB reader module or the mmdbctl tool. The database is in MMDB format that the user/fail2ban can download, so it can support millions of queries locally. One aspect is that the database needs to be regularly updated as the IP database constantly changes IP metadata.

mmdbctl read 95.64.182.177 country_asn.mmdb
{
  "as_domain": "mts.ru",
  "as_name": "MTS PJSC",
  "asn": "AS8359",
  "continent": "EU",
  "continent_name": "Europe",
  "country": "RU",
  "country_name": "Russia"
}

Considered alternatives

I have tried to explore the DNS and Cymru-based ASN enrichment but was not successful to use it.

Any additional information

Even though we offer a free API service, in this instance, we highly recommend sticking with the database solution as it can support millions of IP lookups with the lowest wait time. I think the IP metadata such as location and ASN is going to be universally useful. The download and update mechanism of IPinfo's IP database should be handled by fail2ban instead of the user plugging the IP database themselves. Packaging the IP to Country ASN database could be an effective solution.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@abdullahdevrel