Found some strange messages in NTPSec’s logs, starting with “EX-REQ:”, and as far I as I’ve gathered, it means the server refused a request? So I decided to have a bit of fun, extracting and grouping the IP addresses by GeoIP and scoring each country based on number of offenders, like so:
for ip in $(journalctl -u ntpsec -e | grep "EX-REQ: Count" | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort -u); do geoiplookup "$ip"; done | sort | uniq -c | sort -nr
I decided to exclude IPv6 since there’s only one offender there in my case and I don’t think I’d be able to make a one-liner of a command to deal with both IPv4 and IPv6.
My result:
9 GeoIP Country Edition: DE, Germany
7 GeoIP Country Edition: NO, Norway
2 GeoIP Country Edition: RS, Serbia
2 GeoIP Country Edition: KR, Korea, Republic of
1 GeoIP Country Edition: UA, Ukraine
1 GeoIP Country Edition: NL, Netherlands
1 GeoIP Country Edition: CZ, Czech Republic
1 GeoIP Country Edition: CN, China
1 GeoIP Country Edition: CA, Canada
And total offenses per country:
for ip in $(journalctl -u ntpsec -e | grep "EX-REQ: Count" | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | so rt -V); do geoiplookup "$ip"; done | sort | uniq -c | sort -nr
My result:
206 GeoIP Country Edition: NO, Norway
35 GeoIP Country Edition: RS, Serbia
12 GeoIP Country Edition: DE, Germany
4 GeoIP Country Edition: CA, Canada
3 GeoIP Country Edition: KR, Korea, Republic of
3 GeoIP Country Edition: CZ, Czech Republic
1 GeoIP Country Edition: UA, Ukraine
1 GeoIP Country Edition: NL, Netherlands
1 GeoIP Country Edition: CN, China
My server: 185.175.56.208
Anyone else want a go?