CCNA HUB

CCNA and Linux Training Hub!

CCNA and Linux Training Hub!

  • Home
  • R&S
    • IP Fundamentals
    • Switching
    • Routing
    • IPv4 Suite
    • IPv6 Suite
    • Labs
  • Linux
    • Virtualization 101
    • Basic Configuration
    • Security Measures
    • Database Server
    • Web Server
    • HTTP Tuneup
    • FTP Server
    • Mail Server
    • DNS Server
    • Control Panels
    • Monitoring
    • Backup and Maintenance
  • WordPress
  • About
    • Contact Us
    • Be part of It
    • Under the Hood
CCNA HUB > Blog > Linux > Blacklist and Whitelist using IPtables and IPset > Listing and Tracking Suspicious Bad IP Addresses

Listing and Tracking Suspicious Bad IP Addresses

By Imad Daou Leave a Comment

Post Views: 5,055

Building Professional Web Hosting Solution
Blacklist and Whitelist using IPtables and IPset

section table
  1. Listing and Tracking Suspicious Bad IP Addresses
  2. Building Public and Private IPtables Blacklists
  3. Building Public and Private IPtables Whitelists
  4. Building Public and Private IPset Blacklists
  5. Building Public and Private IPset Whitelists
Image Source
Image Source

Listing and Tracking Suspicious Bad IP Addresses can be very crucial if you suspect unreasonable consumed resources. Having said this, there are 2 known methods to list and track connected IP addresses to your VPS, in case you are suspecting hardware resources getting consumed for no reason. Besides, legitimate user’s IP address consumes reasonable portion of CPU and Memory, but bots most of the time act stupid, hence their activities can be so obvious.

Objectives:

1. Listing Active IP Addresses using tcptrack

2. Listing Active IP Addresses using netstat

Prerequisites:

A. Basic Linux Debian, Ubuntu, or CentOS Knowledge

B. If you haven’t built a VPS yet, login to DigitalOcean or Vultr

C. Linux Hardening Rules and IPtables Firewall Labs

Recommendations:

For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.

Table of Contents

  • Listing Active IP Addresses using tcptrack
  • Listing Active IP Addresses using netstat

Listing Active IP Addresses using tcptrack

In order to understand the next Articles/Labs such IPtables and IPset Black/White Lists, I recommend you get familiar with IP Address listing and tracking techniques. My favorite tools to list and track connected IP Addresses to my VPS are tcptrack and netstat. Such tools are crucial for Tracking or Listing Unique or Active connected IP Addresses in order to analyze their activities.

tcptrack: is a sniffer which will show you information about TCP connections on a specific interface. It tracks only TCP Active connections and show the Live information.

Run the following steps (1 to 4)

1. Show and Install tcptrack

Debian Based

aptitude update
aptitude show tcptrack

then install…

aptitude install tcptrack

Red Hat Based

yum update
yum install tcptrack

2. Run tcptrack on eth0

tcptrack -i eth0

Note: Since you probably have no services yet installed except ssh, you won’t see that much traffic, however, you can always come back when you have Web Hosting Solution services up and running.

3. Run tcptrack -r switch

-r will make tcptrack wait for a given time (in seconds) before it deletes the closed connection from the screen.

tcptrack -dfi eth0 -r 10

4. Run tcptrack with port filtering

tcptrack -dfi eth0 port 22

TIP: To see ssh activities, open a new SSH window while running the above command in different window.

Available tcptrack Switches

-d Only track connections that were started after tcptrack was started. Do not try to detect existing connections.

-f Enable fast average recalculation. TCPTrack will calculate the average speeds of connections by using a running average.

-h Display command line help.

-i [interface] Sniff packets from the specified network interface.

-T [pcap file] Read packets from the specified file instead of sniffing from the network. Useful for testing.

-p Do not put the interface being sniffed into promiscuous mode.

-r [seconds] Wait this many seconds before removing a closed connection from the display. Defaults to 2 seconds. See also the pause interactive command (below).

-v Display tcptrack version

Interactive Commands

The following keys may be pressed while tcptrack is running to change runtime options:

p – Pause/unpause display. No new connections will be added to the display, and all currently displayed connections will remain in the display.

q – Quit tcptrack.

s – Cycle through the sorting options: unsorted, sorted by rate, sorted by total bytes.

Note: The interactive key P option for pausing and toggling sorting is useful if you’re watching a very busy network and want to look at the display without connections jumping around (due to sorting and new connections being added) and disappearing (due to being closed for a certain time).

When paused (via the p key) no new connections will be displayed, however, tcptrack will still monitor and track all connections it sees as usual. This option affects the display only, not internals. When you unpause, the display will be updated with all current information that tcptrack has been gathering all along.

Listing Active IP Addresses using netstat

Although tcptrack tracks active IP Addresses, however, it can’t sort specific requirements as netstat does. For more information, check Wikipedia http://en.wikipedia.org/wiki/Netstat 

Note: The following commands of netstat are mostly used to check if the VPS is under an attack such Denial of Service (DoS Attack). I have listed few of them to show you how netstat can be used and at the same time to gain some knowledge of how to spot bad IP addresses in case you want to block some IP Addresses manually.

I assume that you followed my articles/Labs by order, especially Linux Hardening Rules and IPtables Firewall Labs, hence, you should be protected against certain DoS Attacks.

Run the following steps (1 to 6)

Copy and paste one by one to gain knowledge of how your VPS interact with user’s IP Address that is trying to view your website. Bots/users maybe trying to spam/attack your site. And No changes will take place on your VPS due to running the following netstat commands.

1. Show All Active Connections

netstat -unt | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | grep -v 127.0.0.1

The output here narrowed to only Active IP Addresses. Notice the duplicates, well that’s actually normal. Duplicate is simply the number of sessions open by that IP.

servers)
Address
24.215.128.64
24.215.128.64
198.41.215.163
24.215.128.64
2001
190.59.42.168
190.59.42.168
190.59.42.168

For port 80

netstat -unt | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | grep -v 127.0.0.1
190.59.42.168
190.59.42.168

2. Show all Active/Unique Connections with their Sessions

netstat -unt | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1

The output shows One IP and 6 sessions excluding Loop Address

3 24.215.128.64
2 190.59.42.168
1 servers)
1 Address
1 2001

For port 80

netstat -unt | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1

As you can see, one of the output says, ” 24.215.128.64 opened 6 sessions using port 80″.

6 24.215.128.64
3 24.215.128.64
2 190.59.42.168

3. Count Only Active/Unique IP Addresses

netstat -ntu | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l

For port 80

netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l

5. Count Only Active Sessions Opened

netstat -ntu | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | grep -v 127.0.0.1 | wc -l

The output at this time shows only the number of sessions that is being utilized by Active/Unique IP Addresses. My IP opened six sessions.

6

For port 80

netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | grep -v 127.0.0.1 | wc -l
2

Notice that I have used 7 commands on one command. netstat, grep, awk, cut, uniq, sort, and wc command.

6. Finally, List Active IP Addresses and their Open Sessions to Spot Bad IP Addresses

netstat -unt | awk '{print $5}' | sed -n -e '/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/p' | sed 's/::ffff://' | cut -d: -f1 | sort | uniq -c | sort -n

If you see a repeater IP Address with too many sessions, then it has to be specious Address. I just spot 190.59.42.168, it’s a bad home user repeater IP and got negative statistics as per Symantec Check http://ipremoval.sms.symantec.com/lookup/ it got only 2 sessions open, it’s not a lot, but it turned to be an infected machine.

2 190.59.42.168
3 24.215.128.64

Once you implement Building Public and Private IPset Blacklists, a lot of these IPs such the above bad IP address will be most probably blocked depends on it’s severity. However, I can still add this IP myself manually to my custom Admin blacklist in case it’s not known to the global blacklist yet. I will talk about Custom Admin Blacklist next.

It turn to be that 190.59.42.168 is a PC somewhere infected and sending Spam. I used nslookup command as shown below which shows Dynamic IP from Trinidad and Tobago Islands, South America; most probably home user.

[email protected]:~# nslookup 190.59.42.168
Server:         8.8.4.4
Address:        8.8.4.4

Non-authoritative answer:
168.42.59.190.in-addr.arpa      name = 190-59-42-168.dynamic.tstt.net.tt.

Authoritative answers can be found from:

Remember, that you only need the following netstat commands if you suspect that your VPS is slow which might be under heavy type of Attack, or if you wanted to spot and block Bad Repeater IP Address that still not known by the Global Blacklists resources links.

Subject Related

Building Professional Web Hosting Solution
Blacklist and Whitelist using IPtables and IPset

section table
  1. Listing and Tracking Suspicious Bad IP Addresses
  2. Building Public and Private IPtables Blacklists
  3. Building Public and Private IPtables Whitelists
  4. Building Public and Private IPset Blacklists
  5. Building Public and Private IPset Whitelists
  • Was this information helpful?
  • Yes(0)   No(0)
Get Linux Updates!

tux_toilet

Filed Under: Blacklist and Whitelist using IPtables and IPset, Linux Tagged With: Linux Security, IPtables Firewall

About Imad Daou

CCNA HUB Founder, Imad has been in IT field since 2007. Currently holding A+, Network+, Server+, Security+, and Storage+. HP, Dell, and IBM Hardware Certified. Pursuing Linux+, LPIC-2, RHCSA, RHCE, AWS, CCNA, and JNCIA.

LEAVE A COMMENT Cancel reply

We're glad you have chosen to leave a comment. All comments are moderated according to our comment policy. Use your real name and not keywords in the name field. Let's have a personal and meaningful conversation.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Categories

Get CCNA HUB Updates!

MISSION

CCNA, Linux, and Wordpress Training Hub. For Students, Network Pros, DevOps, Linux/Wordpress Lovers, and Entrepreneurs. CCNA HUB Articles and Labs will help you build a solid foundation in Network, Linux, and Wordpress. E.g. Linux WHS will show you how to build a Professional Web Hosting Solution using DigitalOcean or Vultr VPS provider.

TAG CLOUD

VLSM virtual circuit TCP/IP Wordpress Hosting Hub subnet mask understanding Routing SSH Client VPS Hosting su udp sockets transport layer protocols wide area network tcp sockets WAN wordpress.org CMS T1 transmission control protocol transport layer switches understanding switching TCP SSH Agent Forwarding Wordpress Multisite sudo wordpress CMS

RSS UPDATES

  • IP Fundamentals
  • CCNA R&S
  • CCNA Labs
  • Linux WHS
  • Wordpress
  • All CCNA HUB Topics

Copyright © 2022 ·Genesis Sample Theme - Genesis Framework by StudioPress - WordPress - Log in

This website uses cookies. By continuing to browse the site, you are agreeing to our use of cookies
  • Home
  • R&S
    • IP Fundamentals
    • Switching
    • Routing
    • IPv4 Suite
    • IPv6 Suite
    • Labs
  • Linux
    • Virtualization 101
    • Basic Configuration
    • Security Measures
    • Database Server
    • Web Server
    • HTTP Tuneup
    • FTP Server
    • Mail Server
    • DNS Server
    • Control Panels
    • Monitoring
    • Backup and Maintenance
  • WordPress
  • About
    • Contact Us
    • Be part of It
    • Under the Hood