[ale] [OT] Chinese brute-force network?

Bob Toxen transam at VerySecureLinux.com
Fri May 30 14:24:24 EDT 2014


Dustin,

Seems to be a serious problem dating back to 04/27/2014:

zgrep -c 116.10.191 /var/log/auth*
/var/log/auth.log:30666
/var/log/auth.log.1.gz:54753
/var/log/auth.log.2.gz:36340
/var/log/auth.log.3.gz:58485
/var/log/auth.log.4.gz:36654

We blocked it with Fail2Ban.  (We also have other protections.)  I've now
added something similar to the following IP Tables rules:

/usr/sbin/iptables -I INPUT   1 -s 116.10.191.0/24 -j DROP #hacker-extreme-brute-Chinese
/usr/sbin/iptables -I FORWARD 1 -s 116.10.191.0/24 -j DROP #hacker-extreme-brute-Chinese
/usr/sbin/iptables -I INPUT   2 -s 116.10.191.0/24 -j LOG  #hacker-extreme-brute-Chinese
/usr/sbin/iptables -I FORWARD 2 -s 116.10.191.0/24 -j LOG  #hacker-extreme-brute-Chinese

Bob

On Thu, May 29, 2014 at 04:03:17PM -0400, Dustin Strickland wrote:
> I usuallly don't do this, but I feel oddly compelled to ask. Over the
> past 3 days(and perhaps longer than that, but my logs were wiped on a
> reboot) I've been getting failed SSH login attempts in my logs from a
> bunch of different IPs in the range 116.10.191.1-254. I thought this
> was really unusual; typically, you'll get a few attempts over the
> course of 15 minutes to a few hours from ONE IP, but this has been going
> on steady for days. After researching a bit to try to find who owns this
> network, I found this:
> http://bannedhackersips.blogspot.com/2014/05/fail2ban-ssh-banned-11610191211_7510.html
> 
> `grep 116.10.191. /var/log/auth.log -c` returns 2920. Can you guys
> check your logs and post the results(and specultation)? Something isn't
> right about this, I think.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


More information about the Ale mailing list