SSH break-in attempt from 221.229.172.35

When I checked the fail2ban log on one of my servers today, I found that fail2ban had banned IP address 221.229.172.35 for failed attempts to log into the system via Secure Shell (SSH).

oreilly.com - Your tech ebook super store 
# tail -n 10 /var/log/fail2ban.log
2016-08-09 10:12:56,296 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:12:57,914 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:12:58,663 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:12:59,143 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:12:59,870 fail2ban.actions        [1590]: NOTICE  [sshd] Ban 221.229.172.35
2016-08-09 10:13:00,591 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:13:01,298 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:13:01,522 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:13:03,538 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
2016-08-09 10:13:04,075 fail2ban.filter         [1590]: INFO    [sshd] Found 221.229.172.35
#

When I checked the country where that IP address is assigned using the geoiplookup tool, I found it is assigned to an entity in China. The tool is in GeoIP, a geolocation package, which can be installed on Red Hat derived distributions of Linux, such as CentOS with yum install geoip. The free version of the software that I use is provided by MaxMind

$ geoiplookup 221.229.172.35
GeoIP Country Edition: CN, China
$

Checking for information on the entity in China that has been assigned the block of IP addresses in which that IP address resides using the whois command (the whois package can be installed on a CentOS or Red Hat distribution with yum install whois), I see the following:



Generic Category (English)120x600 
$ whois 221.229.172.35
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '221.224.0.0 - 221.231.255.255'

inetnum:        221.224.0.0 - 221.231.255.255
netname:        CHINANET-JS
descr:          CHINANET jiangsu province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN
admin-c:        CH93-AP
tech-c:         CJ186-AP
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-JS
mnt-routes:     MAINT-CHINANET-JS
remarks:        This object can only modify by APNIC hostmaster
remarks:        If you wish to modify this object details please
remarks:        send email to hostmaster@apnic.net with your
remarks:        organisation account name in the subject line.
status:         ALLOCATED PORTABLE
source:         APNIC
mnt-irt:        IRT-CHINANET-CN
changed:        hm-changed@apnic.net 20030626

irt:            IRT-CHINANET-CN
address:        No.31 ,jingrong street,beijing
address:        100032
e-mail:         anti-spam@ns.chinanet.cn.net
abuse-mailbox:  anti-spam@ns.chinanet.cn.net
admin-c:        CH93-AP
tech-c:         CH93-AP
auth:           # Filtered
mnt-by:         MAINT-CHINANET
changed:        anti-spam@ns.chinanet.cn.net 20101115
source:         APNIC

role:           CHINANET JIANGSU
address:        260 Zhongyang Road,Nanjing 210037
country:        CN
phone:          +86-25-86588231
phone:          +86-25-86588745
fax-no:         +86-25-86588104
e-mail:         ip@jsinfo.net
remarks:        send anti-spam reports to spam@jsinfo.net
remarks:        send abuse reports to abuse@jsinfo.net
remarks:        times in GMT+8
admin-c:        CH360-AP
tech-c:         CS306-AP
tech-c:         CN142-AP
nic-hdl:        CJ186-AP
remarks:        www.jsinfo.net
notify:         ip@jsinfo.net
mnt-by:         MAINT-CHINANET-JS
changed:        dns@jsinfo.net 20090831
changed:        ip@jsinfo.net 20090831
changed:        hm-changed@apnic.net 20090901
source:         APNIC
changed:        hm-changed@apnic.net 20111114

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         anti-spam@ns.chinanet.cn.net
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
changed:        dingsy@cndata.com 20070416
changed:        zhengzm@gsta.com 20140227
mnt-by:         MAINT-CHINANET
source:         APNIC

% Information related to '221.228.0.0/14AS23650'

route:          221.228.0.0/14
descr:          CHINANET jiangsu province network
country:        CN
origin:         AS23650
mnt-by:         MAINT-CHINANET-JS
changed:        ip@jsinfo.net 20030630
source:         APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)


$

When I checked on whether others had been seeing attempted break-ins from this IP address at DShield, I found that others had logged SSH connections from the IP address to port 22 in their firewall logs. The DSHield page on this IP addrss is IP Info: 221.229.172.35. The DSHield report showed the following:

First Reported:2016-07-17
Most Recent Report:2016-08-09

So others had also observed a system at that IP address attempting to establish SSH connections today, August 9, 2016. It was first reported on July 17, 2016, but first seen conducting a port 22 scan on July 14, 2016; I presume a firewall log containing the evidice of the connection attempt was uploaded on July 17, but the log may have covered some days prior to its upload to DShield. The IP address is in a /13 block of addresses assigned to the entity in China, 221.224.0.0/13 (221.224.0.0-221.231.255.255), so if you aren't expecting any SSH connections from China, that entire address range can be blocked at a firewall.

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px