antdudeMatrix Ant Premium Member join:2001-03-25 US |
antdude
Premium Member
2014-Aug-23 6:33 pm
SSH brute force attacks 163data.com.cn...For those who run SSHd on port 22 (would like to change it to another number, but some places block the non-standard ports ), do you get a lot of SSH brute attacks from 163data.com.cn domain (e.g., 228.51.174.61.dial.wz.zj.dynamic.163data.com.cn -- dial-up?) or is it just me? I have been getting them for many months so far. I get DenyHosts reports multiple a day about them. Are they infected with bots or something? I was never able to get a hold of anyone about this (guess they care not). Thank you in advance. |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
|
NetFixer
Premium Member
2014-Aug-23 7:12 pm
I have been seeing many, many more connection attempts to port 23 than I see to port 22, and I don't see any particular overwhelming pattern for the source IP addresses. The vast majority report to be from ChinaNet and China Unicom, with most of the rest randomly from the usual suspects in the Middle East, and Eastern Europe (of course all of them could actually be coming from Peoria, IL through a proxy or VPN).
I don't allow public Internet access for either of those ports (they are both only accessible via LAN or VPN), so perhaps if I had them open to the Internet (making them more enticing), I would see more intense connection attempts. |
|
|
to antdude
Checking the router's firewall log, I see:
2014-08-23T18:27:05-05:00 info src=61.174.51.233 dst=99.9.x.x ipprot=6 sport=6000 dport=22 Unknown inbound session stopped I don't see a lot of probes, but they're on a fishing expedition. 61.174.51.233 resolves to a 163data.com.cn host. I see a total of 3 port 22 probes, the other 2 being from different ip addresses. |
|
|
|
to antdude
From my recollection, not that IP specifically. Did you try contacting them at their abuse@whatever information?
Otherwise, you have any ability to either deny or nullroute that IP / block specifically?
My 00000010bits
Regards |
|
antdudeMatrix Ant Premium Member join:2001-03-25 US |
antdude
Premium Member
2014-Aug-24 8:10 pm
said by HELLFIRE:From my recollection, not that IP specifically. Did you try contacting them at their abuse@whatever information?
Otherwise, you have any ability to either deny or nullroute that IP / block specifically?
My 00000010bits
Regards Yeah, but no luck: : Host or domain name not found. Name service error for name=163data.com.cn type=AAAA: Host not found : host testmail.chinatelecom.com.cn[219.142.42.12] said: 554 Mail from ant@zimage.com rejected for policy reasons. (in reply to MAIL FROM command) I don't think this old router can block specific domains. It looks like » www.mywot.com/en/scoreca ··· a.com.cn had many problems that people complained about. |
|
DrStrangeTechnically feasible Premium Member join:2001-07-23 Bristol, CT
1 recommendation |
DrStrange
Premium Member
2014-Aug-25 12:09 pm
IP range for that threat is 219.142.0.0 - 219.142.127.255.
Can't you just blackhole the entire block? |
|
1 recommendation |
to antdude
From APNIC -- try this address instead quote: irt: IRT-CNNIC-CN3 address: No.4, Zhongguancun No.4 South Street, address: Haidian District, Beijing e-mail: ipas@cnnic.cn abuse-mailbox: ipas@cnnic.cn admin-c: IPAS1-AP tech-c: IPAS1-AP auth: # Filtered mnt-by: MAINT-CNNIC-AP changed: hm-changed@apnic.net 20101125 source: APNIC
person: Qiang Bai nic-hdl: QB26-AP e-mail: bo_01@sina.com address: 420, administration Mansion, No.83 FuXing Road, Beijing phone: +86-10-66706522 fax-no: +86-10-58858011 country: CN changed: ipas@cnnic.net.cn 20050511 mnt-by: MAINT-NEW source: APNIC
Regards |
|
Hitron CDA3 (Software) OpenBSD + pf
1 recommendation |
to antdude
said by antdude:228.51.174.61.dial.wz.zj.dynamic.163data.com.cn "If 61.174.51.228 is causing you trouble (doing SPAM, brute-force, DOS attack, phishing, or other fraud), you can report the abuser right here!"Information source: The Internet Detective |
|
antdudeMatrix Ant Premium Member join:2001-03-25 US |
to DrStrange
said by DrStrange:IP range for that threat is 219.142.0.0 - 219.142.127.255.
Can't you just blackhole the entire block? Not that I can find in my old Linksys WRT54GL router. |
|
BeesTeaInternet Janitor Premium Member join:2003-03-08 00000 |
to antdude
FYI, you can get hourly sensor data to build blocks from the DRG » www.dragonresearchgroup. ··· auth.txt |
|
EUSKill cancer Premium Member join:2002-09-10 canada |
EUS to antdude
Premium Member
2014-Aug-26 11:11 am
to antdude
SSH with keys only, and fail2ban; set it, and forget it. Why people still run ssh with login allowed is beyond me, individual/corporate special needs? |
|