There are many types of computer intrusions. Some are attempts to get my web server to do something wrong and give control to the hacker. Others are attempts to use my system as a spam email gateway to send garbage to millions of users worldwide. There are even presumably innocent people from a banned country that merely happen upon my website. However the more blatant attempts include trying to crash my server, break into the database or brute force guess my passwords.
The most direct attacks though are form people that believe there is SSH access to my server. With SSH you can log into a server and run programs. If you also happen to know the administrator credentials then you can install your own software, modify user records, spy on other users, pretend to be other users and cause all kinds of mischief. These types of attacks though are very obvious. People attempting to access my server using SSH have only one goal in mind: to break in.
What these wanna-be hackers likely do not know is that I track all of these attempts to break into my systems. The data I collect can then be turned into lists of “bad” Internet addresses that I ban from accessing my systems. Is it 100% accurate? Likely not. The nature of many internet address is that they could be temporarily assigned to the hacker. Later if another innocent user is given that address then they too are banned, even though they might not have been the one who caused the ban.
At one time I had a little sympathy for these incorrectly banned users, but I got over it soon. When I saw that the majority of traffic coming from certain countries (Hi China!, Hi Russia!) was almost exclusively attempts to break in I decided that since this is my website and not theirs, I will ban all of them. Period. I would rather my site remains safe and running for anyone else who might want to access it.
As a service to anyone who might be interested, I make these lists of intruders available for anyone (assuming they themselves are not banned) to access. They are provided in three basic formats, one for those who use Peerblock (Windows) to ban access, one for those who use iptables and a final one for anyone using ipset (which is what I use).
Feel free to make use of any of these as a basis for keeping your systems safer.