SSH brute-force break-in attempts from 49.116.40.31

While troubleshooting a problem with a Linux system this evening, I opened Wireshark and noticed a Secure Shell (SSH) packet from an unexpected source address, 49.116.40.31. When I checked the fail2ban log on the system, I noticed that the IP address had been banned temporarily several times today, but break-in attempts resumed whenever the timeout period for the ban expired.

Udemy - April2516-25off-sitewide120x600
# grep '49.116.40.31' /var/log/fail2ban.log | grep 'Ban\|Unban'
2017-01-04 17:20:46,190 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 17:30:47,135 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 17:31:15,276 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 17:41:16,250 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 17:41:43,390 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 17:51:44,299 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 17:52:14,441 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 18:02:15,243 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 18:02:43,383 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 18:12:44,182 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 18:13:13,323 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 18:23:14,227 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 18:24:23,414 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 18:34:24,183 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 18:35:33,368 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 18:45:34,148 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 18:46:44,331 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 18:56:45,126 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 18:57:14,282 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 19:07:15,124 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 19:07:44,270 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 19:17:45,043 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 19:18:14,190 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 19:28:15,111 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 19:29:23,297 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 19:39:23,304 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 19:39:51,441 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 19:49:52,326 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 19:50:21,472 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 20:00:22,251 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 20:00:49,390 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 20:10:50,192 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 20:11:19,338 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 20:21:20,121 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 20:21:49,263 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 20:31:50,036 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 20:33:38,258 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 20:43:39,059 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 20:44:37,358 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 20:54:37,372 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
#

So I implemented a firewall-rule to ban the IP address that will remain effective until the next time the system reboots. The system runs FirewallD as host-based firewall software, so I used the firewall-cmd utility to implement the block.

# firewall-cmd --add-rich-rule="rule family='ipv4' source address='49.116.40.31' reject"
success
#

I checked the country where that IP address is assigned using the geoiplookup tool and found it is assigned to an entity in China. The tool is in GeoIP, a geolocation package, which can be installed on Red Hat derived distributions of Linux, such as CentOS, with yum install geoip. The free version of the software, which I use, is provided by MaxMind

$ geoiplookup 49.116.40.31
GeoIP Country Edition: CN, China

When I checked the /var/log/secure log file on the system, I saw that brute-force break-in attempts from that address started at 5:20 PM local time today and continued for over 3 hours.

# grep '49.116.40.31' /var/log/secure | head -n 5
Jan  4 17:20:32 moonpoint sshd[29115]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.116.40.31  user=root
Jan  4 17:20:34 moonpoint sshd[29115]: Failed password for root from 49.116.40.31 port 57395 ssh2
Jan  4 17:20:36 moonpoint sshd[29115]: Failed password for root from 49.116.40.31 port 57395 ssh2
Jan  4 17:20:38 moonpoint sshd[29115]: Failed password for root from 49.116.40.31 port 57395 ssh2
Jan  4 17:20:40 moonpoint sshd[29115]: Failed password for root from 49.116.40.31 port 57395 ssh2
# grep '49.116.40.31' /var/log/secure | tail -n 5
Jan  4 20:44:24 moonpoint sshd[15364]: Failed password for root from 49.116.40.31 port 57485 ssh2
Jan  4 20:44:28 moonpoint sshd[15377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.116.40.31  user=root
Jan  4 20:44:30 moonpoint sshd[15377]: Failed password for root from 49.116.40.31 port 57860 ssh2
Jan  4 20:44:37 moonpoint sshd[15384]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.116.40.31  user=root
Jan  4 20:44:39 moonpoint sshd[15384]: Failed password for root from 49.116.40.31 port 58243 ssh2
#

Such attackers often use a dictionary attack by trying common account names for accounts with administrative level access, such as root, administrator, or admin paired with all possible words in a dictionary as a password and perhaps also a list of passwords known to be commonly used.

This particular IP address is associated with attempts to break into other systems as well. E.g., the IP address is in Rutgers University's IP List of SSH Brute force attackers and is also on the BruteForcers blacklist for an attack on November 13, 2016:

INTERNAL ID ATTACK DATE IP ADDRESS TYPE COUNTRY ORGANISATION
91416 2016-11-13 49.116.40.31 SSH China CHINANET xinjiang province network

Since the IP address is assigned to an entity in China, the responsible regional Internet registry (RIR) is the Asia-Pacific Network Information Centre (APNIC). The full information from APNIC on the assignment of the IP address can be seen from a whois command.



DJI Phantom 3 Drone
# whois 49.116.40.31
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '49.112.0.0 - 49.119.255.255'

inetnum:        49.112.0.0 - 49.119.255.255
netname:        CHINANET-XJ
descr:          CHINANET xinjiang province network
descr:          Data Communication Division
descr:          China Telecom
country:        CN
admin-c:        CH93-AP
tech-c:         IC83-AP
status:         ALLOCATED PORTABLE
notify:         guoming@xjtelecom.com.cn
remarks:        service provider
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        --------------------------------------------------------
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CN-CHINANET-XINJIANG
mnt-routes:     MAINT-CN-CHINANET-XINJIANG
source:         APNIC
mnt-irt:        IRT-CHINANET-CN
changed:        hm-changed@apnic.net 20101022

irt:            IRT-CHINANET-CN
address:        No.31 ,jingrong street,beijing
address:        100032
e-mail:         anti-spam@ns.chinanet.cn.net
abuse-mailbox:  anti-spam@ns.chinanet.cn.net
admin-c:        CH93-AP
tech-c:         CH93-AP
auth:           # Filtered
mnt-by:         MAINT-CHINANET
changed:        anti-spam@ns.chinanet.cn.net 20101115
source:         APNIC

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         anti-spam@ns.chinanet.cn.net
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
changed:        dingsy@cndata.com 20070416
changed:        zhengzm@gsta.com 20140227
mnt-by:         MAINT-CHINANET
source:         APNIC

person:         IPMASTER CHINANET-GD
nic-hdl:        IC83-AP
e-mail:         gdnoc_HLWI@189.cn
address:        NO.18,RO. ZHONGSHANER,YUEXIU DISTRIC,GUANGZHOU
phone:          +86-20-87189274
fax-no:         +86-20-87189274
country:        CN
changed:        ipadm@189.cn 20110418
changed:        zhengzm@gsta.com 20140922
mnt-by:         MAINT-CHINANET-GD
remarks:        IPMASTER is not for spam complaint,please send spam complaint to abuse_gdnoc@189.cn
abuse-mailbox:  antispam_gdnoc@189.cn
source:         APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)


#