dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6603

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude

Premium Member

SSH brute force attacks 163data.com.cn...

For those who run SSHd on port 22 (would like to change it to another number, but some places block the non-standard ports ), do you get a lot of SSH brute attacks from 163data.com.cn domain (e.g., 228.51.174.61.dial.wz.zj.dynamic.163data.com.cn -- dial-up?) or is it just me? I have been getting them for many months so far. I get DenyHosts reports multiple a day about them. Are they infected with bots or something? I was never able to get a hold of anyone about this (guess they care not).

Thank you in advance.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

I have been seeing many, many more connection attempts to port 23 than I see to port 22, and I don't see any particular overwhelming pattern for the source IP addresses. The vast majority report to be from ChinaNet and China Unicom, with most of the rest randomly from the usual suspects in the Middle East, and Eastern Europe (of course all of them could actually be coming from Peoria, IL through a proxy or VPN).

I don't allow public Internet access for either of those ports (they are both only accessible via LAN or VPN), so perhaps if I had them open to the Internet (making them more enticing), I would see more intense connection attempts.
Frodo
join:2006-05-05

Frodo to antdude

Member

to antdude
Checking the router's firewall log, I see:
2014-08-23T18:27:05-05:00 info src=61.174.51.233 dst=99.9.x.x ipprot=6 sport=6000 dport=22 Unknown inbound session stopped
I don't see a lot of probes, but they're on a fishing expedition.
61.174.51.233 resolves to a 163data.com.cn host. I see a total of 3 port 22 probes, the other 2 being from different ip addresses.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to antdude

MVM

to antdude
From my recollection, not that IP specifically. Did you try contacting them at their abuse@whatever information?

Otherwise, you have any ability to either deny or nullroute that IP / block specifically?

My 00000010bits

Regards

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude

Premium Member

said by HELLFIRE:

From my recollection, not that IP specifically. Did you try contacting them at their abuse@whatever information?

Otherwise, you have any ability to either deny or nullroute that IP / block specifically?

My 00000010bits

Regards

Yeah, but no luck:
: Host or domain name not found. Name service error for
name=163data.com.cn type=AAAA: Host not found
: host testmail.chinatelecom.com.cn[219.142.42.12]
said: 554 Mail from ant@zimage.com rejected for policy reasons. (in reply
to MAIL FROM command)

I don't think this old router can block specific domains.

It looks like »www.mywot.com/en/scoreca ··· a.com.cn had many problems that people complained about.

DrStrange
Technically feasible
Premium Member
join:2001-07-23
Bristol, CT

1 recommendation

DrStrange

Premium Member

IP range for that threat is 219.142.0.0 - 219.142.127.255.

Can't you just blackhole the entire block?
HELLFIRE
MVM
join:2009-11-25

1 recommendation

HELLFIRE to antdude

MVM

to antdude
From APNIC -- try this address instead
quote:
irt: IRT-CNNIC-CN3
address: No.4, Zhongguancun No.4 South Street,
address: Haidian District, Beijing
e-mail: ipas@cnnic.cn
abuse-mailbox: ipas@cnnic.cn
admin-c: IPAS1-AP
tech-c: IPAS1-AP
auth: # Filtered
mnt-by: MAINT-CNNIC-AP
changed: hm-changed@apnic.net 20101125
source: APNIC

person: Qiang Bai
nic-hdl: QB26-AP
e-mail: bo_01@sina.com
address: 420, administration Mansion, No.83 FuXing Road, Beijing
phone: +86-10-66706522
fax-no: +86-10-58858011
country: CN
changed: ipas@cnnic.net.cn 20050511
mnt-by: MAINT-NEW
source: APNIC
Regards

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

1 recommendation

Chubbzie to antdude

Member

to antdude
said by antdude:

228.51.174.61.dial.wz.zj.dynamic.163data.com.cn

"If 61.174.51.228 is causing you trouble (doing SPAM, brute-force, DOS attack, phishing, or other fraud), you can report the abuser right here!"

Information source: The Internet Detective

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude to DrStrange

Premium Member

to DrStrange
said by DrStrange:

IP range for that threat is 219.142.0.0 - 219.142.127.255.

Can't you just blackhole the entire block?

Not that I can find in my old Linksys WRT54GL router.

BeesTea
Internet Janitor
Premium Member
join:2003-03-08
00000

BeesTea to antdude

Premium Member

to antdude
FYI, you can get hourly sensor data to build blocks from the DRG

»www.dragonresearchgroup. ··· auth.txt

EUS
Kill cancer
Premium Member
join:2002-09-10
canada

EUS to antdude

Premium Member

to antdude
SSH with keys only, and fail2ban; set it, and forget it.
Why people still run ssh with login allowed is beyond me, individual/corporate special needs?