SSH break-in attempt from

When I checked the fail2ban log on one of my servers today, I found that fail2ban had banned IP address for failed attempts to log into the system via Secure Shell (SSH). - Your tech ebook super store
# tail -n 10 /var/log/fail2ban.log
2016-08-09 10:12:56,296 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:12:57,914 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:12:58,663 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:12:59,143 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:12:59,870 fail2ban.actions        [1590]: NOTICE  [sshd] Ban
2016-08-09 10:13:00,591 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:13:01,298 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:13:01,522 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:13:03,538 fail2ban.filter         [1590]: INFO    [sshd] Found
2016-08-09 10:13:04,075 fail2ban.filter         [1590]: INFO    [sshd] Found

When I checked the country where that IP address is assigned using the geoiplookup tool, I found it is assigned to an entity in China. The tool is in GeoIP, a geolocation package, which can be installed on Red Hat derived distributions of Linux, such as CentOS with yum install geoip. The free version of the software that I use is provided by MaxMind

$ geoiplookup
GeoIP Country Edition: CN, China

Checking for information on the entity in China that has been assigned the block of IP addresses in which that IP address resides using the whois command (the whois package can be installed on a CentOS or Red Hat distribution with yum install whois), I see the following:

Generic Category (English)120x600
$ whois
% []
% Whois data copyright terms

% Information related to ' -'

inetnum: -
netname:        CHINANET-JS
descr:          CHINANET jiangsu province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN
admin-c:        CH93-AP
tech-c:         CJ186-AP
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-JS
mnt-routes:     MAINT-CHINANET-JS
remarks:        This object can only modify by APNIC hostmaster
remarks:        If you wish to modify this object details please
remarks:        send email to with your
remarks:        organisation account name in the subject line.
status:         ALLOCATED PORTABLE
source:         APNIC
mnt-irt:        IRT-CHINANET-CN
changed: 20030626

irt:            IRT-CHINANET-CN
address:        No.31 ,jingrong street,beijing
address:        100032
admin-c:        CH93-AP
tech-c:         CH93-AP
auth:           # Filtered
mnt-by:         MAINT-CHINANET
changed: 20101115
source:         APNIC

role:           CHINANET JIANGSU
address:        260 Zhongyang Road,Nanjing 210037
country:        CN
phone:          +86-25-86588231
phone:          +86-25-86588745
fax-no:         +86-25-86588104
remarks:        send anti-spam reports to
remarks:        send abuse reports to
remarks:        times in GMT+8
admin-c:        CH360-AP
tech-c:         CS306-AP
tech-c:         CN142-AP
nic-hdl:        CJ186-AP
mnt-by:         MAINT-CHINANET-JS
changed: 20090831
changed: 20090831
changed: 20090901
source:         APNIC
changed: 20111114

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
changed: 20070416
changed: 20140227
mnt-by:         MAINT-CHINANET
source:         APNIC

% Information related to ''

descr:          CHINANET jiangsu province network
country:        CN
origin:         AS23650
mnt-by:         MAINT-CHINANET-JS
changed: 20030630
source:         APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)


When I checked on whether others had been seeing attempted break-ins from this IP address at DShield, I found that others had logged SSH connections from the IP address to port 22 in their firewall logs. The DSHield page on this IP addrss is IP Info: The DSHield report showed the following:

First Reported:2016-07-17
Most Recent Report:2016-08-09

So others had also observed a system at that IP address attempting to establish SSH connections today, August 9, 2016. It was first reported on July 17, 2016, but first seen conducting a port 22 scan on July 14, 2016; I presume a firewall log containing the evidice of the connection attempt was uploaded on July 17, but the log may have covered some days prior to its upload to DShield. The IP address is in a /13 block of addresses assigned to the entity in China, (, so if you aren't expecting any SSH connections from China, that entire address range can be blocked at a firewall.


TechRabbit ad 300x250

Justdeals Daily Electronics Deals1x1 px