You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I work for IPinfo but I have fail2ban installed in all my servers.
The existing implementation of ASN/Country bans seems a bit confusing to me, and the per IP lookup mechanism could be slow for large scale attacks. I would like to suggest incorporating the IPinfo IP to Country ASN database into Fail2Ban as a native download. The IPinfo IP to Country ASN database provides a static/locally downloaded MMDB database that can be extremely fast to query and provide country and ASN-based metrics in the same response, which is quite effective in deterring SSH access attacks.
Description
Consider my ban list. I am using IPinfo's CLI to run summarize IP metadata of IP addresses and bulk IP geolocation/asn enrichment. I am using JQ to wrangle my JSON responses.
ASNs: The following query summarizes my banned IP log and prints out the top 5 ASNs of the banned IP addresses.
As in many cases, CN is a location of origin for many banned IPs. However, we find a more interesting pattern upon closer inspection of the ASN data. Even though CN as the IP location metadata is associated with 35 IP addresses, the AS organization, AS132203 Tencent Building, Kejizhongyi Avenue represents 24 IP addresses. But let's see where the IP location of this AS organization belongs to:
As you can see, none of the 5 countries in this particular ASN are in CN. Therefore, using an IP geolocation-based IP filter only scratches the surface when it comes to protecting your servers. In fact, if you look up this AS organization, you can find that this organization, in particular, was associated with uploading malicious packages on PyPI back in 2021.
That is why I would highly recommend incorporating (as a database download) or facilitating a bring our own MMDB database for the IP to Country ASN database.
Why the IPinfo IP to Country ASN database:
Full accuracy with daily updates. No compromise with accuracy
Contains both IPv4 and IPv6 data in the same database
The database is flat and has a tabular structure, with no missing variables or nested structures
Comes in MMDB format, which is the widely used format for efficient IP lookup mechanism
Contains both country and ASN information in the same database
Licensed under CC-BY-SA 4.0, which permits commercial usage via attribution
To use the MMDB database, you must use any MMDB reader module or the mmdbctl tool. The database is in MMDB format that the user/fail2ban can download, so it can support millions of queries locally. One aspect is that the database needs to be regularly updated as the IP database constantly changes IP metadata.
I have tried to explore the DNS and Cymru-based ASN enrichment but was not successful to use it.
Any additional information
Even though we offer a free API service, in this instance, we highly recommend sticking with the database solution as it can support millions of IP lookups with the lowest wait time. I think the IP metadata such as location and ASN is going to be universally useful. The download and update mechanism of IPinfo's IP database should be handled by fail2ban instead of the user plugging the IP database themselves. Packaging the IP to Country ASN database could be an effective solution.
The text was updated successfully, but these errors were encountered:
Feature request type
I work for IPinfo but I have fail2ban installed in all my servers.
The existing implementation of ASN/Country bans seems a bit confusing to me, and the per IP lookup mechanism could be slow for large scale attacks. I would like to suggest incorporating the IPinfo IP to Country ASN database into Fail2Ban as a native download. The IPinfo IP to Country ASN database provides a static/locally downloaded MMDB database that can be extremely fast to query and provide country and ASN-based metrics in the same response, which is quite effective in deterring SSH access attacks.
Description
Consider my ban list. I am using IPinfo's CLI to run summarize IP metadata of IP addresses and bulk IP geolocation/asn enrichment. I am using JQ to wrangle my JSON responses.
ASNs: The following query summarizes my banned IP log and prints out the top 5 ASNs of the banned IP addresses.
Countries: The following query summarizes my banned IP log and prints out the top 5 countries of the banned IP addresses.
As in many cases,
CN
is a location of origin for many banned IPs. However, we find a more interesting pattern upon closer inspection of the ASN data. Even though CN as the IP location metadata is associated with 35 IP addresses, the AS organization, AS132203 Tencent Building, Kejizhongyi Avenue represents 24 IP addresses. But let's see where the IP location of this AS organization belongs to:As you can see, none of the 5 countries in this particular ASN are in
CN
. Therefore, using an IP geolocation-based IP filter only scratches the surface when it comes to protecting your servers. In fact, if you look up this AS organization, you can find that this organization, in particular, was associated with uploading malicious packages on PyPI back in 2021.That is why I would highly recommend incorporating (as a database download) or facilitating a bring our own MMDB database for the IP to Country ASN database.
Why the IPinfo IP to Country ASN database:
Documentation: https://ipinfo.io/developers/ip-to-country-asn-database
To use the MMDB database, you must use any MMDB reader module or the mmdbctl tool. The database is in MMDB format that the user/fail2ban can download, so it can support millions of queries locally. One aspect is that the database needs to be regularly updated as the IP database constantly changes IP metadata.
mmdbctl read 95.64.182.177 country_asn.mmdb
Considered alternatives
I have tried to explore the DNS and Cymru-based ASN enrichment but was not successful to use it.
Any additional information
Even though we offer a free API service, in this instance, we highly recommend sticking with the database solution as it can support millions of IP lookups with the lowest wait time. I think the IP metadata such as location and ASN is going to be universally useful. The download and update mechanism of IPinfo's IP database should be handled by fail2ban instead of the user plugging the IP database themselves. Packaging the IP to Country ASN database could be an effective solution.
The text was updated successfully, but these errors were encountered: