SSH brute-force break-in attempts from

While troubleshooting a problem with a Linux system this evening, I opened Wireshark and noticed a Secure Shell (SSH) packet from an unexpected source address, When I checked the fail2ban log on the system, I noticed that the IP address had been banned temporarily several times today, but break-in attempts resumed whenever the timeout period for the ban expired.

Udemy - April2516-25off-sitewide120x600
# grep '' /var/log/fail2ban.log | grep 'Ban\|Unban'
2017-01-04 17:20:46,190 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 17:30:47,135 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 17:31:15,276 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 17:41:16,250 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 17:41:43,390 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 17:51:44,299 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 17:52:14,441 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 18:02:15,243 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 18:02:43,383 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 18:12:44,182 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 18:13:13,323 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 18:23:14,227 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 18:24:23,414 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 18:34:24,183 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 18:35:33,368 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 18:45:34,148 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 18:46:44,331 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 18:56:45,126 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 18:57:14,282 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 19:07:15,124 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 19:07:44,270 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 19:17:45,043 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 19:18:14,190 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 19:28:15,111 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 19:29:23,297 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 19:39:23,304 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 19:39:51,441 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 19:49:52,326 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 19:50:21,472 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 20:00:22,251 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 20:00:49,390 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 20:10:50,192 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 20:11:19,338 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 20:21:20,121 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 20:21:49,263 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 20:31:50,036 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 20:33:38,258 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 20:43:39,059 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan
2017-01-04 20:44:37,358 fail2ban.actions        [25142]: NOTICE  [sshd] Ban
2017-01-04 20:54:37,372 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan

So I implemented a firewall-rule to ban the IP address that will remain effective until the next time the system reboots. The system runs FirewallD as host-based firewall software, so I used the firewall-cmd utility to implement the block.

# firewall-cmd --add-rich-rule="rule family='ipv4' source address='' reject"

I checked the country where that IP address is assigned using the geoiplookup tool and found it is assigned to an entity in China. The tool is in GeoIP, a geolocation package, which can be installed on Red Hat derived distributions of Linux, such as CentOS, with yum install geoip. The free version of the software, which I use, is provided by MaxMind

$ geoiplookup
GeoIP Country Edition: CN, China

When I checked the /var/log/secure log file on the system, I saw that brute-force break-in attempts from that address started at 5:20 PM local time today and continued for over 3 hours.

# grep '' /var/log/secure | head -n 5
Jan  4 17:20:32 moonpoint sshd[29115]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=root
Jan  4 17:20:34 moonpoint sshd[29115]: Failed password for root from port 57395 ssh2
Jan  4 17:20:36 moonpoint sshd[29115]: Failed password for root from port 57395 ssh2
Jan  4 17:20:38 moonpoint sshd[29115]: Failed password for root from port 57395 ssh2
Jan  4 17:20:40 moonpoint sshd[29115]: Failed password for root from port 57395 ssh2
# grep '' /var/log/secure | tail -n 5
Jan  4 20:44:24 moonpoint sshd[15364]: Failed password for root from port 57485 ssh2
Jan  4 20:44:28 moonpoint sshd[15377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=root
Jan  4 20:44:30 moonpoint sshd[15377]: Failed password for root from port 57860 ssh2
Jan  4 20:44:37 moonpoint sshd[15384]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=root
Jan  4 20:44:39 moonpoint sshd[15384]: Failed password for root from port 58243 ssh2

Such attackers often use a dictionary attack by trying common account names for accounts with administrative level access, such as root, administrator, or admin paired with all possible words in a dictionary as a password and perhaps also a list of passwords known to be commonly used.

This particular IP address is associated with attempts to break into other systems as well. E.g., the IP address is in Rutgers University's IP List of SSH Brute force attackers and is also on the BruteForcers blacklist for an attack on November 13, 2016:

91416 2016-11-13 SSH China CHINANET xinjiang province network

Since the IP address is assigned to an entity in China, the responsible regional Internet registry (RIR) is the Asia-Pacific Network Information Centre (APNIC). The full information from APNIC on the assignment of the IP address can be seen from a whois command.

DJI Phantom 3 Drone
# whois
% []
% Whois data copyright terms

% Information related to ' -'

inetnum: -
netname:        CHINANET-XJ
descr:          CHINANET xinjiang province network
descr:          Data Communication Division
descr:          China Telecom
country:        CN
admin-c:        CH93-AP
tech-c:         IC83-AP
status:         ALLOCATED PORTABLE
remarks:        service provider
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via
remarks:        --------------------------------------------------------
mnt-by:         APNIC-HM
source:         APNIC
mnt-irt:        IRT-CHINANET-CN
changed: 20101022

irt:            IRT-CHINANET-CN
address:        No.31 ,jingrong street,beijing
address:        100032
admin-c:        CH93-AP
tech-c:         CH93-AP
auth:           # Filtered
mnt-by:         MAINT-CHINANET
changed: 20101115
source:         APNIC

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
changed: 20070416
changed: 20140227
mnt-by:         MAINT-CHINANET
source:         APNIC

person:         IPMASTER CHINANET-GD
nic-hdl:        IC83-AP
phone:          +86-20-87189274
fax-no:         +86-20-87189274
country:        CN
changed: 20110418
changed: 20140922
mnt-by:         MAINT-CHINANET-GD
remarks:        IPMASTER is not for spam complaint,please send spam complaint to
source:         APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)