Listing and Tracking Suspicious Bad IP Addresses

Listing and Tracking Suspicious Bad IP Addresses can be very crucial if you suspect unreasonable consumed resources. Having said this, there are 2 known methods to list and track connected IP addresses to your VPS, in case you are suspecting hardware resources getting consumed for no reason. Besides, legitimate user’s IP address consumes reasonable portion of CPU and Memory, but bots most of the time act stupid, hence their activities can be so obvious.

Objectives:

1. Listing Active IP Addresses using tcptrack

2. Listing Active IP Addresses using netstat

Prerequisites:

A. Basic Linux Debian, Ubuntu, or CentOS Knowledge

B. If you haven’t built a VPS yet, login to DigitalOcean or Vultr

C. Linux Hardening Rules and IPtables Firewall Labs

Recommendations:

For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.

Listing Active IP Addresses using tcptrack

In order to understand the next Articles/Labs such IPtables and IPset Black/White Lists, I recommend you get familiar with IP Address listing and tracking techniques. My favorite tools to list and track connected IP Addresses to my VPS are tcptrack and netstat. Such tools are crucial for Tracking or Listing Unique or Active connected IP Addresses in order to analyze their activities.

tcptrack: is a sniffer which will show you information about TCP connections on a specific interface. It tracks only TCP Active connections and show the Live information.

Run the following steps (1 to 4)

1. Show and Install tcptrack

Debian Based

aptitude update

aptitude show tcptrack

then install…

aptitude install tcptrack

Red Hat Based

yum update

yum install tcptrack

2. Run tcptrack on eth0

tcptrack -i eth0

Note: Since you probably have no services yet installed except ssh, you won’t see that much traffic, however, you can always come back when you have Web Hosting Solution services up and running.

3. Run tcptrack -r switch

-r will make tcptrack wait for a given time (in seconds) before it deletes the closed connection from the screen.

tcptrack -dfi eth0 -r 10

4. Run tcptrack with port filtering

tcptrack -dfi eth0 port 22

TIP: To see ssh activities, open a new SSH window while running the above command in different window.

Available tcptrack Switches

-d Only track connections that were started after tcptrack was started. Do not try to detect existing connections.

-f Enable fast average recalculation. TCPTrack will calculate the average speeds of connections by using a running average.

-h Display command line help.

-i [interface] Sniff packets from the specified network interface.

-T [pcap file] Read packets from the specified file instead of sniffing from the network. Useful for testing.

-p Do not put the interface being sniffed into promiscuous mode.

-r [seconds] Wait this many seconds before removing a closed connection from the display. Defaults to 2 seconds. See also the pause interactive command (below).

-v Display tcptrack version

Interactive Commands

The following keys may be pressed while tcptrack is running to change runtime options:

p – Pause/unpause display. No new connections will be added to the display, and all currently displayed connections will remain in the display.

q – Quit tcptrack.

s – Cycle through the sorting options: unsorted, sorted by rate, sorted by total bytes.

Note: The interactive key P option for pausing and toggling sorting is useful if you’re watching a very busy network and want to look at the display without connections jumping around (due to sorting and new connections being added) and disappearing (due to being closed for a certain time).

When paused (via the p key) no new connections will be displayed, however, tcptrack will still monitor and track all connections it sees as usual. This option affects the display only, not internals. When you unpause, the display will be updated with all current information that tcptrack has been gathering all along.

Listing Active IP Addresses using netstat

Although tcptrack tracks active IP Addresses, however, it can’t sort specific requirements as netstat does. For more information, check Wikipedia http://en.wikipedia.org/wiki/Netstat 

Note: The following commands of netstat are mostly used to check if the VPS is under an attack such Denial of Service (DoS Attack). I have listed few of them to show you how netstat can be used and at the same time to gain some knowledge of how to spot bad IP addresses in case you want to block some IP Addresses manually.

I assume that you followed my articles/Labs by order, especially Linux Hardening Rules and IPtables Firewall Labs, hence, you should be protected against certain DoS Attacks.

Run the following steps (1 to 6)

Copy and paste one by one to gain knowledge of how your VPS interact with user’s IP Address that is trying to view your website. Bots/users maybe trying to spam/attack your site. And No changes will take place on your VPS due to running the following netstat commands.

1. Show All Active Connections

netstat -unt | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | grep -v 127.0.0.1

The output here narrowed to only Active IP Addresses. Notice the duplicates, well that’s actually normal. Duplicate is simply the number of sessions open by that IP.

servers)
Address
24.215.128.64
24.215.128.64
198.41.215.163
24.215.128.64
2001
190.59.42.168
190.59.42.168
190.59.42.168

For port 80

netstat -unt | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | grep -v 127.0.0.1

190.59.42.168
190.59.42.168

2. Show all Active/Unique Connections with their Sessions

netstat -unt | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1

The output shows One IP and 6 sessions excluding Loop Address

3 24.215.128.64
2 190.59.42.168
1 servers)
1 Address
1 2001

For port 80

netstat -unt | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1

As you can see, one of the output says, ” 24.215.128.64 opened 6 sessions using port 80″.

6 24.215.128.64
3 24.215.128.64
2 190.59.42.168

3. Count Only Active/Unique IP Addresses

netstat -ntu | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l

For port 80

netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l

5. Count Only Active Sessions Opened

netstat -ntu | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | grep -v 127.0.0.1 | wc -l

The output at this time shows only the number of sessions that is being utilized by Active/Unique IP Addresses. My IP opened six sessions.

6

For port 80

netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | grep -v 127.0.0.1 | wc -l

2

Notice that I have used 7 commands on one command. netstat, grep, awk, cut, uniq, sort, and wc command.

6. Finally, List Active IP Addresses and their Open Sessions to Spot Bad IP Addresses

netstat -unt | awk '{print $5}' | sed -n -e '/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/p' | sed 's/::ffff://' | cut -d: -f1 | sort | uniq -c | sort -n

If you see a repeater IP Address with too many sessions, then it has to be specious Address. I just spot 190.59.42.168, it’s a bad home user repeater IP and got negative statistics as per Symantec Check http://ipremoval.sms.symantec.com/lookup/ it got only 2 sessions open, it’s not a lot, but it turned to be an infected machine.

2 190.59.42.168
3 24.215.128.64

Once you implement Building Public and Private IPset Blacklists, a lot of these IPs such the above bad IP address will be most probably blocked depends on it’s severity. However, I can still add this IP myself manually to my custom Admin blacklist in case it’s not known to the global blacklist yet. I will talk about Custom Admin Blacklist next.

It turn to be that 190.59.42.168 is a PC somewhere infected and sending Spam. I used nslookup command as shown below which shows Dynamic IP from Trinidad and Tobago Islands, South America; most probably home user.

[email protected]:~# nslookup 190.59.42.168
Server:         8.8.4.4
Address:        8.8.4.4

Non-authoritative answer:
168.42.59.190.in-addr.arpa      name = 190-59-42-168.dynamic.tstt.net.tt.

Authoritative answers can be found from:

Remember, that you only need the following netstat commands if you suspect that your VPS is slow which might be under heavy type of Attack, or if you wanted to spot and block Bad Repeater IP Address that still not known by the Global Blacklists resources links.

Subject Related