MoonPoint Support Weblog

SSH brute-force break-in attempts from 49.116.40.31

While troubleshooting a problem with a Linux system this evening, I opened Wireshark and noticed a Secure Shell (SSH) packet from an unexpected source address, 49.116.40.31. When I checked the fail2ban log on the system, I noticed that the IP address had been banned temporarily several times today, but break-in attempts resumed whenever the timeout period for the ban expired.

# grep '49.116.40.31' /var/log/fail2ban.log | grep 'Ban\|Unban'
2017-01-04 17:20:46,190 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 17:30:47,135 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 17:31:15,276 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 17:41:16,250 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 17:41:43,390 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 17:51:44,299 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 17:52:14,441 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 18:02:15,243 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 18:02:43,383 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 18:12:44,182 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 18:13:13,323 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 18:23:14,227 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 18:24:23,414 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 18:34:24,183 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 18:35:33,368 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 18:45:34,148 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 18:46:44,331 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 18:56:45,126 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 18:57:14,282 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 19:07:15,124 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 19:07:44,270 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 19:17:45,043 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 19:18:14,190 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 19:28:15,111 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 19:29:23,297 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 19:39:23,304 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 19:39:51,441 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 19:49:52,326 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 19:50:21,472 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 20:00:22,251 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 20:00:49,390 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 20:10:50,192 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 20:11:19,338 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 20:21:20,121 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 20:21:49,263 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 20:31:50,036 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 20:33:38,258 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 20:43:39,059 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
2017-01-04 20:44:37,358 fail2ban.actions        [25142]: NOTICE  [sshd] Ban 49.116.40.31
2017-01-04 20:54:37,372 fail2ban.actions        [25142]: NOTICE  [sshd] UnBan 49.116.40.31
#

[ More Info ]

[/security/attacks/ssh] permanent link

Fri, Dec 30, 2016 7:45 pm

SSH break-in attempts from 116.31.116.xxx IP addresses

Yesterday, while using the free and open source packet analyzer software Wireshark to observe network traffic reaching a router, I had set a packet filter in Wireshark to filter on Internet Control Message Protocol (ICMP) traffic. I saw a lot of unexpected ICMP "port unreachable" packets coming from a server behind the router headed outbound to the Internet to the IP address 116.31.116.41.

Internet Control Message Protocol

   Type: 3 (Destination unreachable)
   Code: 3 (port unreachable)
   Checksum: 0xa821 [correct]
   [Checksum Status: Good]
   Unused: 00000000

ICMP destination unreachable packets are "generated by the host or its inbound gateway to inform the client that the destination is unreachable for some reason." There is a "code" field that follows the "type" field in an ICMP packet. If the code is 3, then it indicates a port unreachable error (the designated protocol is unable to inform the host of the incoming message). When I checked the destination port at the server end, I saw it was 22, which is the well-known port for the Secure Shell (SSH) protocol.

[ More Info ]

[/security/attacks/ssh] permanent link

Tue, Aug 09, 2016 10:26 pm

SSH break-in attempt from 221.229.172.35

When I checked the fail2ban log on one of my servers today, I found that fail2ban had banned IP address 221.229.172.35 for failed attempts to log into the system via Secure Shell (SSH).

# tail -n 10 /var/log/fail2ban.log
2016-08-09 10:12:56,296 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:12:57,914 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:12:58,663 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:12:59,143 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:12:59,870 fail2ban.actions        [1590]: NOTICE  [sshd] Ban 221.229.172.35
2016-08-09 10:13:00,591 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:13:01,298 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:13:01,522 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:13:03,538 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:13:04,075 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
#

When I checked the country where that IP address is assigned using the geoiplookup tool, I found it is assigned to an entity in China. The tool is in GeoIP, a geolocation package, which can be installed on Red Hat derived distributions of Linux, such as CentOS with yum install geoip. The free version of the software which I use is provided by MaxMind

$ geoiplookup 221.229.172.35
GeoIP Country Edition: CN, China
$

[ More Info ]

[/security/attacks/ssh] permanent link

Wed, Jan 04, 2017 10:32 pm

Fri, Dec 30, 2016 7:45 pm

Tue, Aug 09, 2016 10:26 pm