Re: SFTP question
Hi Guys,
As a matter of interest, after I installed fail2ban I got this on ssh:
###################################################################################################
Hi,
The IP 122.225.109.103 has just been banned by Fail2Ban after
3 attempts against ssh.
Here are more information about 122.225.109.103:
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '122.225.109.0 - 122.225.109.127'
inetnum: 122.225.109.0 - 122.225.109.127
netname: DINGQI-NETWORK-TECHNOLOGY
country: CN
descr: Shaoxing Dingqi Network Technology Co., Ltd.
descr:
admin-c: JS2095-AP
tech-c: CH119-AP
mnt-irt: IRT-CHINANET-ZJ
status: ASSIGNED NON-PORTABLE
changed: auto-dbm@dcb.hz.zj.cn 20110707
mnt-by: MAINT-CN-CHINANET-ZJ-HU
source: APNIC
irt: IRT-CHINANET-ZJ
address: Hangzhou, 288 fucun Road, China
e-mail: lfliu@pubinfo.com.cn
abuse-mailbox: antispam@dcb.hz.zj.cn
admin-c: CZ61-AP
tech-c: CZ61-AP
auth: # Filtered
mnt-by: MAINT-CHINANET-ZJ
changed: auto-dbm@dcb.hz.zj.cn 20101129
source: APNIC
role: CHINANET-ZJ Huzhou
address: No.18 Hongqi Road,Huzhou,Zhejiang.313000
country: CN
phone: +86-572-2022163
fax-no: +86-572-2210609
e-mail: anti_spam@mail.huptt.zj.cn
remarks: send spam reports to anti_spam@mail.huptt.zj.cn
remarks: and abuse reports to anti_spam@mail.huptt.zj.cn
remarks: Please include detailed information and times in UTC
admin-c: CH50-AP
tech-c: CH50-AP
nic-hdl: CH119-AP
mnt-by: MAINT-CHINANET-ZJ
changed: master@dcb.hz.zj.cn 20031204
source: APNIC
changed: hm-changed@apnic.net 20111114
person: Jinwei Sun
nic-hdl: JS2095-AP
e-mail: anti_spam@mail.huptt.zj.cn
address: Huzhou,Zhejiang.Postcode:313000
phone: +86-18657530001
country: CN
changed: auto-dbm@dcb.hz.zj.cn 20110707
mnt-by: MAINT-CN-CHINANET-ZJ-HU
source: APNIC
% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS1)
Lines containing IP:122.225.109.103 in /var/log/auth.log
Dec 24 21:13:10 fever sshd[3565]: Connection from 122.225.109.103 port 24974
Dec 24 21:13:18 fever sshd[3565]: User root from 122.225.109.103 not allowed because not listed in AllowUsers
Dec 24 21:13:19 fever sshd[3565]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.109.103 user=root
Dec 24 21:13:21 fever sshd[3565]: Failed password for invalid user root from 122.225.109.103 port 24974 ssh2
Dec 24 21:13:23 fever sshd[3565]: Failed password for invalid user root from 122.225.109.103 port 24974 ssh2
Dec 24 21:13:23 fever sshd[3565]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.109.103 user=root
Dec 24 21:13:24 fever sshd[3702]: Connection from 122.225.109.103 port 33237
Regards,
Fail2Ban
###################################################################################################
and:
###################################################################################################
Hi,
The IP 182.18.134.5 has just been banned by Fail2Ban after
3 attempts against ssh.
Here are more information about 182.18.134.5:
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '182.18.128.0 - 182.18.191.255'
inetnum: 182.18.128.0 - 182.18.191.255
netname: PEL-IN
descr: Pioneer Elabs Ltd.
country: IN
admin-c: PSR1-AP
tech-c: II45-AP
mnt-by: MAINT-IN-IRINN
mnt-lower: MAINT-IN-IPAPELABS
mnt-routes: MAINT-IN-IPAPELABS
mnt-irt: IRT-PEL-IN
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20130705
source: APNIC
irt: IRT-PEL-IN
address: Pioneer Elabs Ltd.
address: #3D, Samrat Commercial Complex,
address: Saifabad, hyderabad - 500004
address: Andra Pradesh, India
e-mail: abuse@ctrls.in
abuse-mailbox: abuse@ctrls.in
admin-c: PSR1-AP
tech-c: II45-AP
auth: # Filtered
mnt-by: MAINT-IN-IPAPELABS
changed: abuse@ctrls.in 20101202
source: APNIC
person: IP Administrator IP Administrator Pioneer Elabs
nic-hdl: II45-AP
e-mail: ip.admin@pioneerelabs.com
address: Ground Floor, Pioneer Towers, Plot No.16,
address: APIIC Software Units Layout,
address: Madhapur,
address: Hyderabad - 500081
phone: +91-404-2030700
fax-no: +91-402-3116055
country: IN
changed: ip.admin@pioneerelabs.com 20121128
mnt-by: MAINT-IN-IPAPELABS
changed: hm-changed@apnic.net 20121130
source: APNIC
person: Pinnapureddy Sridhar Reddy
address: CtrlS Datacenters Ltd.
address: 7th Floor, Pioneer Towers,
address: Plot No.16, APIIC Software Units Layout,
address: Madhapur,
address: Hyderabad - 500081
country: IN
phone: +91-40-42030700
fax-no: +91-40-23116055
e-mail: admin@ctrls.in
nic-hdl: PSR1-AP
mnt-by: MAINT-IN-PSREDDY
changed: hostmaster@apnic.net 19990702
changed: hm-changed@apnic.net 20101230
changed: nirmal_gk@pioneerelabs.com 20101230
changed: nirmal_gk@pioneerelabs.com 20111129
source: APNIC
% Information related to '182.18.134.0/24AS18229'
route: 182.18.134.0/24
descr: CtrlS
origin: AS18229
mnt-by: MAINT-IN-IPAPELABS
changed: ip.admin@pioneerelabs.com 20130107
source: APNIC
% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS4)
Lines containing IP:182.18.134.5 in /var/log/auth.log
Dec 24 20:10:05 fever sshd[30724]: Connection from 182.18.134.5 port 44125
Dec 24 20:10:09 fever sshd[30724]: reverse mapping checking getaddrinfo for static-182.18.134-5.ctrls.in [182.18.134.5] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 24 20:10:09 fever sshd[30724]: Invalid user a from 182.18.134.5
Dec 24 20:10:09 fever sshd[30724]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.18.134.5
Dec 24 20:10:12 fever sshd[30724]: Failed password for invalid user a from 182.18.134.5 port 44125 ssh2
Dec 24 20:10:12 fever sshd[30724]: Received disconnect from 182.18.134.5: 11: Bye Bye [preauth]
Dec 24 20:10:12 fever sshd[30729]: Connection from 182.18.134.5 port 46657
Dec 24 20:10:16 fever sshd[30729]: reverse mapping checking getaddrinfo for static-182.18.134-5.ctrls.in [182.18.134.5] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 24 20:10:16 fever sshd[30729]: Invalid user accessops from 182.18.134.5
Dec 24 20:10:16 fever sshd[30729]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.18.134.5
Dec 24 20:10:18 fever sshd[30729]: Failed password for invalid user accessops from 182.18.134.5 port 46657 ssh2
Regards,
Fail2Ban
###################################################################################################
and
###################################################################################################
Hi,
The IP 61.174.50.251 has just been banned by Fail2Ban after
3 attempts against ssh.
Here are more information about 61.174.50.251:
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '61.174.48.0 - 61.174.55.255'
inetnum: 61.174.48.0 - 61.174.55.255
netname: CHINANET-ZJ-HU
country: CN
descr: CHINANET-ZJ Huzhou node network
descr: Zhejiang Telecom
admin-c: CZ4-AP
tech-c: CH119-AP
mnt-irt: IRT-CHINANET-ZJ
status: ALLOCATED NON-PORTABLE
changed: 15325819758@189.cn 20111231
mnt-by: MAINT-CHINANET-ZJ
mnt-lower: MAINT-CN-CHINANET-ZJ-HU
source: APNIC
irt: IRT-CHINANET-ZJ
address: Hangzhou, 288 fucun Road, China
e-mail: lfliu@pubinfo.com.cn
abuse-mailbox: antispam@dcb.hz.zj.cn
admin-c: CZ61-AP
tech-c: CZ61-AP
auth: # Filtered
mnt-by: MAINT-CHINANET-ZJ
changed: auto-dbm@dcb.hz.zj.cn 20101129
source: APNIC
role: CHINANET-ZJ Huzhou
address: No.18 Hongqi Road,Huzhou,Zhejiang.313000
country: CN
phone: +86-572-2022163
fax-no: +86-572-2210609
e-mail: anti_spam@mail.huptt.zj.cn
remarks: send spam reports to anti_spam@mail.huptt.zj.cn
remarks: and abuse reports to anti_spam@mail.huptt.zj.cn
remarks: Please include detailed information and times in UTC
admin-c: CH50-AP
tech-c: CH50-AP
nic-hdl: CH119-AP
mnt-by: MAINT-CHINANET-ZJ
changed: master@dcb.hz.zj.cn 20031204
source: APNIC
changed: hm-changed@apnic.net 20111114
role: CHINANET ZHEJIANG
address: No. 257 Qingjiang Road, Hangzhou, Zhejiang.310066
country: CN
phone: +86-571-86821752
fax-no: +86-571-86988329
e-mail: antispam@dcb.hz.zj.cn
remarks: send spam reports to antispam@dcb.hz.zj.cn
remarks: and abuse reports to antispam@dcb.hz.zj.cn
remarks: Please include detailed information and times in UTC
admin-c: CZ61-AP
tech-c: CZ61-AP
nic-hdl: CZ4-AP
mnt-by: MAINT-CHINANET-ZJ
changed: hjh@dcb.hz.zj.cn 20050914
source: APNIC
changed: hm-changed@apnic.net 20111114
% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS1)
Lines containing IP:61.174.50.251 in /var/log/auth.log
Dec 24 19:07:59 fever sshd[25682]: Connection from 61.174.50.251 port 44941
Dec 24 19:08:04 fever sshd[25682]: reverse mapping checking getaddrinfo for 251.50.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.50.251] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 24 19:08:04 fever sshd[25682]: User root from 61.174.50.251 not allowed because not listed in AllowUsers
Dec 24 19:08:04 fever sshd[25682]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.50.251 user=root
Dec 24 19:08:06 fever sshd[25682]: Failed password for invalid user root from 61.174.50.251 port 44941 ssh2
Dec 24 19:08:09 fever sshd[25682]: Failed password for invalid user root from 61.174.50.251 port 44941 ssh2
Dec 24 19:08:09 fever sshd[25682]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.50.251 user=root
Dec 24 19:08:10 fever sshd[25733]: Connection from 61.174.50.251 port 47735
Regards,
Fail2Ban
###################################################################################################
and
###################################################################################################
Hi,
The IP 122.225.103.124 has just been banned by Fail2Ban after
3 attempts against ssh.
Here are more information about 122.225.103.124:
Lines containing IP:122.225.103.124 in /var/log/auth.log
Dec 24 16:19:16 fever sshd[10766]: Connection from 122.225.103.124 port 12625
Dec 24 16:19:31 fever sshd[10766]: User root from 122.225.103.124 not allowed because not listed in AllowUsers
Dec 24 16:19:32 fever sshd[10766]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.103.124 user=root
Dec 24 16:19:33 fever sshd[10766]: Failed password for invalid user root from 122.225.103.124 port 12625 ssh2
Dec 24 16:19:36 fever sshd[10766]: Failed password for invalid user root from 122.225.103.124 port 12625 ssh2
Dec 24 16:19:36 fever sshd[10766]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.103.124 user=root
Regards,
Fail2Ban
###################################################################################################
Thank You
Danny
Reply to: