This week was full of bugs and errors and problems.
I made it through with a lot of help from my friends: Thank you Noah Pivnick for trying to understand why digital ocean was so stubborn , Noah Kernis for debugging with me my ssh key, Matt Ross for explaining how to move files from the server to my computer and parsing log files in python.
1 / Setting up a firewall on my service
I followed the step by step explanation on understanding network website.
2 / Once i was active, I wanted to understand how to record my findings.
> Created a ufw status > ufw.log and save it in my server.
> I wanted to save the file on my desktop in order to parse it.
1. exit First i needed to exit my server root and go back to my computer.
2. untill now when entering my server i wrote ssh root@....., in order to copy securly files from my server to my computer i need to write scp - secure copy.
3. csp root@.....:/var/log/ufw.log . - The dot in the end is asking to move this file to here. here is equal to my home.
4. After i had a copy on my computer - i could easly cat ufw.log and see who is trying to reach me
After this step, I wanted to understand how to parse my data. Using python seemed like the best way to parse the lines in the log file.
Each line have the following information, i used this source to identify the purpose of each element given to me in the status:
Date and time: Nov 3 23:01:42
The server’s hostname :ubuntu-s-1vcpu-1gb-nyc3-01 kernel:
The time in seconds since boot: [175012.322739]
Logged Event: Short description of the logged event: [UFW BLOCK]
If we set it, then the event was an incoming event: IN=eth0
If set, then the event was an outgoing event: OUT=
14-byte combination of the Destination MAC, Source MAC, and EtherType fields: MAC=ca:73:2e:2c:6a:37:64:c3:d6:0b:ef:f0:08:00
source IP, who sent the packet initially: SRC=22.214.171.124
destination IP, who is meant to receive the packet: DST=126.96.36.199
This indicates the length of the packet: LEN=40
TCP Processing of the IPv4 Precedence Field:TOS=0x00 P
Precedence field of the IPv4 header: REC=0x00
“Time to live” for the packet. Basically each packet will only bounce through the given number of routers before it dies and disappears.: TTL=47
ufw’s internal ID system:ID=37723
protocol of the packet: PROTO=TCP
SRC IP sent the IP packet over: SPT=23516
destination port: DPT=60001
size of packet the sender is willing to receive: WINDOW=62381
Connection requires a three-way handshake, which is typical of TCP connections: SYN URGP=0
First, i split the lines:
After understanding how to split the lines and which line i need or want, i created a for loop for everything that i was intersted in analysing later.
I got a lot of data and i was intersted mainly in the SRC and their information, who are the countries or the companies that are trying to come through my server.
I had 5,439 IP addresses trying to go from my server:
United States 711
South Korea 2
United states, Russia, Seychelles and Taiwan were in my top 4.
Then using a bulk online ip locators for the first 600 lines from my ufw status. I was able to take a closer look on the owners of these ip addresses:
Aruba S.p.A. 6
Aruba Cloud is our Cloud service brand for the European market: hosting, backups, object storage.
Asiamax Technology Limited VPN Service Provider Hong Kong 18
VPN Service Provider
CHINA UNICOM China 169 Backbone 31
China Unicom IP network
Found this about china unicom but couldn't understand much about the data.
Data Communication Business Group 24
Part of Chunghwa Tellecom which is the largest telecommunications company in Taiwan and the incumbent mobile, PSTN and broadband carrier there. It has its headquarters in Zhongzheng District, Taipei on the remains of the old Taipei Prison.
Hurricane Electric LLC 9
Hurricane Electric is a global Internet service provider offering IPv4 and IPv6 Internet access, transit, tools, and network applications, as well as data center colocation and hosting services and in San Jose, California and in Fremont, California, where the company is based.
person: Svetoslava Dimova address: 51 Volga str., Entr.6, Flat 11 address: 4020 Plovdiv address: Bulgaria
No.31 Jin-rong Street 33
According to spamhaus - this is one of The World's Worst Botnet ASNs
This specific bot have the highest number of detected spam as listed in the Spamhaus XBL zone, sorted by ASN.
IT Proximus UAB 33
Jasinskio 16C LT03163 Vilnius LITHUANIA
UK-2 Limited 2
Corporaci√É¬≥n Telemic C.A. 2
Inter is a Venezuelan television broadcaster and telecommunications provider headquartered in Barquisimeto, Lara, Venezuela. Inter was founded in 1996 as InterCable. Its fiscal name is Corporacion Telemic C.A, and its main shareholder is the investment fund HM Capital Partners.
Inter offers digital cable TV services since 2002 and digital satellite television as of August 2012, currently providing up to 125 different channels, some featured products are:
Video on Demand (VOD)HD Channels: The company offers sports, series, documentaries and cinema channels in high definition, which can only be seen using a specific digital decoder for this technology.
EDATEL S.A. E.S.P 2
Estro Web Services Private Limited 3
Fikri DAL 2
Guangdong Mobile Communication Co.Ltd. 7
IP CHistyakov Mihail Viktorovich 1
Iran Telecommunication Company PJS 2
Internet Service provider:
No 43, Floor 7, 1969764913 Tehran
IRAN, ISLAMIC REPUBLIC OF IRAN.
Jordan Data Communications Company LLC 1
Sky UK Limited 2
Societatea mixta pe actiuni de tip inchis 1