Portsentry history file

I didn't know that I had my firewall running for such a long time. I discovered my portsentry.history file and found it going back to November 2005. I did a quick analysis of the file and came up with some numbers. (firewall + portsentry doc: http://docs.google.com/Doc?id=d6hvqjv_55gq83jz)

I didn't go into very deep detail with the stats, like pie charts and what not. I just used grep with some regex.

Blocked hosts by year.
2006 - 1077
2007 - 427
2008 - 675

Blocked hosts by port.
SSH - 1348
Telnet - 999

When setting up Portsentry, I was making the assumption that port scans would start at a low port number and work their way up the ports. While there are more SSH connections, there are still quite a good number of Telnet probes. Two possible reasons are either random ports (not sequential like I anticipated), or distributed port scans. The idea of a distributed scan is really cool because even if I block a host on the SSH port, the attacker can continue probing for open ports from other hosts. It's nearly impossible to prevent.

Something that I found surprising was the probes by country. I was positive that China was going to rank number one. That and maybe Russia. It turnes out that the top three were Brazil, Italy, and France.

Blocked hosts by country.
BR - 47
IT - 33
FR - 33
JP - 32
DE - 31
MX - 25
CO - 22
TW - 21
CN - 18
RU - 16

China and Russia came in much further down the list than I originally anticipated.

I did a basic grep for hosts that start with mail, www, or ns to get a sample of likely hacked mail, web and dns servers.

Mail Servers - 52
Web Servers - 22
DNS Servers - 16

The mail servers took the cake.

Finally, a look a ISPs

Comcast: 75
Road Runner: 40
Wanadoo: 21
Charter: 17
Shaw: 14

Another shocker for me was Wanadoo, which is a French ISP.

Anyway, I had some fun looking at the logs and thought I'd share. It's only a sample, and most of the hosts in the log are just IP addresses that don't resolve so they were pretty much useless.