[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SFTP question

Hi Guys,

As a matter of interest, after I installed fail2ban I got this on ssh:

###################################################################################################
Hi,

The IP 122.225.109.103 has just been banned by Fail2Ban after
3 attempts against ssh.


Here are more information about 122.225.109.103:

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '122.225.109.0 - 122.225.109.127'

inetnum:        122.225.109.0 - 122.225.109.127
netname:        DINGQI-NETWORK-TECHNOLOGY
country:        CN
descr:          Shaoxing Dingqi Network Technology Co., Ltd.
descr:
admin-c:        JS2095-AP
tech-c:         CH119-AP
mnt-irt:        IRT-CHINANET-ZJ
status:         ASSIGNED NON-PORTABLE
changed:        auto-dbm@dcb.hz.zj.cn 20110707
mnt-by:         MAINT-CN-CHINANET-ZJ-HU
source:         APNIC

irt:            IRT-CHINANET-ZJ
address:        Hangzhou, 288 fucun Road, China
e-mail:         lfliu@pubinfo.com.cn
abuse-mailbox:  antispam@dcb.hz.zj.cn
admin-c:        CZ61-AP
tech-c:         CZ61-AP
auth:           # Filtered
mnt-by:         MAINT-CHINANET-ZJ
changed:        auto-dbm@dcb.hz.zj.cn 20101129
source:         APNIC

role:           CHINANET-ZJ Huzhou
address:        No.18 Hongqi Road,Huzhou,Zhejiang.313000
country:        CN
phone:          +86-572-2022163
fax-no:         +86-572-2210609
e-mail:         anti_spam@mail.huptt.zj.cn
remarks:        send spam reports to anti_spam@mail.huptt.zj.cn
remarks:        and abuse reports to anti_spam@mail.huptt.zj.cn
remarks:        Please include detailed information and times in UTC
admin-c:        CH50-AP
tech-c:         CH50-AP
nic-hdl:        CH119-AP
mnt-by:         MAINT-CHINANET-ZJ
changed:        master@dcb.hz.zj.cn 20031204
source:         APNIC
changed:        hm-changed@apnic.net 20111114

person:         Jinwei Sun
nic-hdl:        JS2095-AP
e-mail:         anti_spam@mail.huptt.zj.cn
address:        Huzhou,Zhejiang.Postcode:313000
phone:          +86-18657530001
country:        CN
changed:        auto-dbm@dcb.hz.zj.cn 20110707
mnt-by:         MAINT-CN-CHINANET-ZJ-HU
source:         APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS1)


Lines containing IP:122.225.109.103 in /var/log/auth.log

Dec 24 21:13:10 fever sshd[3565]: Connection from 122.225.109.103 port 24974
Dec 24 21:13:18 fever sshd[3565]: User root from 122.225.109.103 not allowed because not listed in AllowUsers
Dec 24 21:13:19 fever sshd[3565]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.109.103  user=root
Dec 24 21:13:21 fever sshd[3565]: Failed password for invalid user root from 122.225.109.103 port 24974 ssh2
Dec 24 21:13:23 fever sshd[3565]: Failed password for invalid user root from 122.225.109.103 port 24974 ssh2
Dec 24 21:13:23 fever sshd[3565]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.109.103  user=root
Dec 24 21:13:24 fever sshd[3702]: Connection from 122.225.109.103 port 33237


Regards,

Fail2Ban
###################################################################################################

and:

###################################################################################################
Hi,

The IP 182.18.134.5 has just been banned by Fail2Ban after
3 attempts against ssh.


Here are more information about 182.18.134.5:

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '182.18.128.0 - 182.18.191.255'

inetnum:        182.18.128.0 - 182.18.191.255
netname:        PEL-IN
descr:          Pioneer Elabs Ltd.
country:        IN
admin-c:        PSR1-AP
tech-c:         II45-AP
mnt-by:         MAINT-IN-IRINN
mnt-lower:      MAINT-IN-IPAPELABS
mnt-routes:     MAINT-IN-IPAPELABS
mnt-irt:        IRT-PEL-IN
status:         ALLOCATED PORTABLE
changed:        hm-changed@apnic.net 20130705
source:         APNIC

irt:            IRT-PEL-IN
address:        Pioneer Elabs Ltd.
address:        #3D, Samrat Commercial Complex,
address:        Saifabad, hyderabad - 500004
address:        Andra Pradesh, India
e-mail:         abuse@ctrls.in
abuse-mailbox:  abuse@ctrls.in
admin-c:        PSR1-AP
tech-c:         II45-AP
auth:           # Filtered
mnt-by:         MAINT-IN-IPAPELABS
changed:        abuse@ctrls.in 20101202
source:         APNIC

person:         IP Administrator IP Administrator Pioneer Elabs
nic-hdl:        II45-AP
e-mail:         ip.admin@pioneerelabs.com
address:        Ground Floor, Pioneer Towers, Plot No.16,
address:        APIIC Software Units Layout,
address:        Madhapur,
address:        Hyderabad - 500081
phone:          +91-404-2030700
fax-no:         +91-402-3116055
country:        IN
changed:        ip.admin@pioneerelabs.com 20121128
mnt-by:         MAINT-IN-IPAPELABS
changed:        hm-changed@apnic.net 20121130
source:         APNIC

person:         Pinnapureddy Sridhar Reddy
address:        CtrlS Datacenters Ltd.
address:        7th Floor, Pioneer Towers,
address:        Plot No.16, APIIC Software Units Layout,
address:        Madhapur,
address:        Hyderabad - 500081
country:        IN
phone:          +91-40-42030700
fax-no:         +91-40-23116055
e-mail:         admin@ctrls.in
nic-hdl:        PSR1-AP
mnt-by:         MAINT-IN-PSREDDY
changed:        hostmaster@apnic.net 19990702
changed:        hm-changed@apnic.net 20101230
changed:        nirmal_gk@pioneerelabs.com 20101230
changed:        nirmal_gk@pioneerelabs.com 20111129
source:         APNIC

% Information related to '182.18.134.0/24AS18229'

route:          182.18.134.0/24
descr:          CtrlS
origin:         AS18229
mnt-by:         MAINT-IN-IPAPELABS
changed:        ip.admin@pioneerelabs.com 20130107
source:         APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS4)


Lines containing IP:182.18.134.5 in /var/log/auth.log

Dec 24 20:10:05 fever sshd[30724]: Connection from 182.18.134.5 port 44125
Dec 24 20:10:09 fever sshd[30724]: reverse mapping checking getaddrinfo for static-182.18.134-5.ctrls.in [182.18.134.5] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 24 20:10:09 fever sshd[30724]: Invalid user a from 182.18.134.5
Dec 24 20:10:09 fever sshd[30724]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.18.134.5 
Dec 24 20:10:12 fever sshd[30724]: Failed password for invalid user a from 182.18.134.5 port 44125 ssh2
Dec 24 20:10:12 fever sshd[30724]: Received disconnect from 182.18.134.5: 11: Bye Bye [preauth]
Dec 24 20:10:12 fever sshd[30729]: Connection from 182.18.134.5 port 46657
Dec 24 20:10:16 fever sshd[30729]: reverse mapping checking getaddrinfo for static-182.18.134-5.ctrls.in [182.18.134.5] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 24 20:10:16 fever sshd[30729]: Invalid user accessops from 182.18.134.5
Dec 24 20:10:16 fever sshd[30729]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.18.134.5 
Dec 24 20:10:18 fever sshd[30729]: Failed password for invalid user accessops from 182.18.134.5 port 46657 ssh2


Regards,

Fail2Ban
###################################################################################################

and

###################################################################################################
Hi,

The IP 61.174.50.251 has just been banned by Fail2Ban after
3 attempts against ssh.


Here are more information about 61.174.50.251:

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '61.174.48.0 - 61.174.55.255'

inetnum:        61.174.48.0 - 61.174.55.255
netname:        CHINANET-ZJ-HU
country:        CN
descr:          CHINANET-ZJ Huzhou node network
descr:          Zhejiang Telecom
admin-c:        CZ4-AP
tech-c:         CH119-AP
mnt-irt:        IRT-CHINANET-ZJ
status:         ALLOCATED NON-PORTABLE
changed:        15325819758@189.cn 20111231
mnt-by:         MAINT-CHINANET-ZJ
mnt-lower:      MAINT-CN-CHINANET-ZJ-HU
source:         APNIC

irt:            IRT-CHINANET-ZJ
address:        Hangzhou, 288 fucun Road, China
e-mail:         lfliu@pubinfo.com.cn
abuse-mailbox:  antispam@dcb.hz.zj.cn
admin-c:        CZ61-AP
tech-c:         CZ61-AP
auth:           # Filtered
mnt-by:         MAINT-CHINANET-ZJ
changed:        auto-dbm@dcb.hz.zj.cn 20101129
source:         APNIC

role:           CHINANET-ZJ Huzhou
address:        No.18 Hongqi Road,Huzhou,Zhejiang.313000
country:        CN
phone:          +86-572-2022163
fax-no:         +86-572-2210609
e-mail:         anti_spam@mail.huptt.zj.cn
remarks:        send spam reports to anti_spam@mail.huptt.zj.cn
remarks:        and abuse reports to anti_spam@mail.huptt.zj.cn
remarks:        Please include detailed information and times in UTC
admin-c:        CH50-AP
tech-c:         CH50-AP
nic-hdl:        CH119-AP
mnt-by:         MAINT-CHINANET-ZJ
changed:        master@dcb.hz.zj.cn 20031204
source:         APNIC
changed:        hm-changed@apnic.net 20111114

role:           CHINANET ZHEJIANG
address:        No. 257 Qingjiang Road, Hangzhou, Zhejiang.310066
country:        CN
phone:          +86-571-86821752
fax-no:         +86-571-86988329
e-mail:         antispam@dcb.hz.zj.cn
remarks:        send spam reports to antispam@dcb.hz.zj.cn
remarks:        and abuse reports to antispam@dcb.hz.zj.cn
remarks:        Please include detailed information and times in UTC
admin-c:        CZ61-AP
tech-c:         CZ61-AP
nic-hdl:        CZ4-AP
mnt-by:         MAINT-CHINANET-ZJ
changed:        hjh@dcb.hz.zj.cn 20050914
source:         APNIC
changed:        hm-changed@apnic.net 20111114

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS1)


Lines containing IP:61.174.50.251 in /var/log/auth.log

Dec 24 19:07:59 fever sshd[25682]: Connection from 61.174.50.251 port 44941
Dec 24 19:08:04 fever sshd[25682]: reverse mapping checking getaddrinfo for 251.50.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.50.251] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 24 19:08:04 fever sshd[25682]: User root from 61.174.50.251 not allowed because not listed in AllowUsers
Dec 24 19:08:04 fever sshd[25682]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.50.251  user=root
Dec 24 19:08:06 fever sshd[25682]: Failed password for invalid user root from 61.174.50.251 port 44941 ssh2
Dec 24 19:08:09 fever sshd[25682]: Failed password for invalid user root from 61.174.50.251 port 44941 ssh2
Dec 24 19:08:09 fever sshd[25682]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.50.251  user=root
Dec 24 19:08:10 fever sshd[25733]: Connection from 61.174.50.251 port 47735


Regards,

Fail2Ban
###################################################################################################

and

###################################################################################################
Hi,

The IP 122.225.103.124 has just been banned by Fail2Ban after
3 attempts against ssh.


Here are more information about 122.225.103.124:



Lines containing IP:122.225.103.124 in /var/log/auth.log

Dec 24 16:19:16 fever sshd[10766]: Connection from 122.225.103.124 port 12625
Dec 24 16:19:31 fever sshd[10766]: User root from 122.225.103.124 not allowed because not listed in AllowUsers
Dec 24 16:19:32 fever sshd[10766]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.103.124  user=root
Dec 24 16:19:33 fever sshd[10766]: Failed password for invalid user root from 122.225.103.124 port 12625 ssh2
Dec 24 16:19:36 fever sshd[10766]: Failed password for invalid user root from 122.225.103.124 port 12625 ssh2
Dec 24 16:19:36 fever sshd[10766]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.103.124  user=root


Regards,

Fail2Ban
###################################################################################################

Thank You

Danny
Reply to: