Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Attempted login from two IP addresses in same range

  • 10-02-2014 8:00pm
    #1
    [Deleted User]
    Posts: 0


    So most people here will know you put a server on the web and it's going to be subjected to scanning/brute-forcing.

    However something I haven't seen before (personally) is somebody attempting to log into my server from two different IP addresses in the same range. Seems a little more interesting, has anybody seen this before? Wondering if it's a little more targeted or just an automated system using two external IP addresses? Maybe its just strange for me as it's the first time I noticed it.... should probably check older logs to see if it's happened before



    Feb 10 19:11:58 bigdaddy sshd[12502]: Connection from 61.160.215.33 port 1831
    Feb 10 19:12:06 bigdaddy sshd[12502]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.33 user=root
    Feb 10 19:12:08 bigdaddy sshd[12502]: Failed password for root from 61.160.215.33 port 1831 ssh2
    Feb 10 19:12:20 bigdaddy sshd[12502]: last message repeated 5 times
    Feb 10 19:12:20 bigdaddy sshd[12502]: Disconnecting: Too many authentication failures for root [preauth]
    Feb 10 19:12:20 bigdaddy sshd[12502]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.33 user=root
    Feb 10 19:12:20 bigdaddy sshd[12502]: PAM service(sshd) ignoring max retries; 6 > 3
    Feb 10 19:12:20 bigdaddy sshd[12597]: Set /proc/self/oom_adj to 0
    Feb 10 19:12:20 bigdaddy sshd[12597]: Connection from 61.160.215.33 port 2761
    Feb 10 19:12:28 bigdaddy sshd[12597]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.33 user=root
    Feb 10 19:12:29 bigdaddy sshd[12597]: Failed password for root from 61.160.215.33 port 2761 ssh2
    Feb 10 19:12:40 bigdaddy sshd[12597]: last message repeated 4 times
    Feb 10 19:12:40 bigdaddy sshd[12691]: Set /proc/self/oom_adj to 0
    Feb 10 19:12:40 bigdaddy sshd[12691]: Connection from 61.160.215.73 port 4089
    Feb 10 19:12:40 bigdaddy sshd[12597]: Failed password for root from 61.160.215.33 port 2761 ssh2
    Feb 10 19:12:40 bigdaddy sshd[12597]: Disconnecting: Too many authentication failures for root [preauth]
    Feb 10 19:12:40 bigdaddy sshd[12597]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.33 user=root
    Feb 10 19:12:40 bigdaddy sshd[12597]: PAM service(sshd) ignoring max retries; 6 > 3
    Feb 10 19:12:41 bigdaddy sshd[12698]: Set /proc/self/oom_adj to 0
    Feb 10 19:12:41 bigdaddy sshd[12698]: refused connect from 61.160.215.33 (61.160.215.33)
    Feb 10 19:12:46 bigdaddy sshd[12716]: Set /proc/self/oom_adj to 0
    Feb 10 19:12:46 bigdaddy sshd[12716]: refused connect from 61.160.215.33 (61.160.215.33)
    Feb 10 19:12:56 bigdaddy sshd[12691]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.73 user=root
    Feb 10 19:12:58 bigdaddy sshd[12691]: Failed password for root from 61.160.215.73 port 4089 ssh2
    Feb 10 19:13:17 bigdaddy sshd[12691]: last message repeated 5 times
    Feb 10 19:13:17 bigdaddy sshd[12691]: Disconnecting: Too many authentication failures for root [preauth]
    Feb 10 19:13:17 bigdaddy sshd[12691]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.73 user=root
    Feb 10 19:13:17 bigdaddy sshd[12691]: PAM service(sshd) ignoring max retries; 6 > 3
    Feb 10 19:13:18 bigdaddy sshd[12843]: Set /proc/self/oom_adj to 0
    Feb 10 19:13:18 bigdaddy sshd[12843]: Connection from 61.160.215.73 port 2296
    Feb 10 19:13:28 bigdaddy sshd[12843]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.73 user=root
    Feb 10 19:13:30 bigdaddy sshd[12843]: Failed password for root from 61.160.215.73 port 2296 ssh2
    Feb 10 19:13:35 bigdaddy sshd[12843]: Failed password for root from 61.160.215.73 port 2296 ssh2
    Feb 10 19:13:35 bigdaddy sshd[12898]: Set /proc/self/oom_adj to 0
    Feb 10 19:13:35 bigdaddy sshd[12898]: Connection from 61.160.215.73 port 4973
    Feb 10 19:13:39 bigdaddy sshd[12843]: Failed password for root from 61.160.215.73 port 2296 ssh2
    Feb 10 19:14:12 bigdaddy sshd[12843]: last message repeated 3 times
    Feb 10 19:14:12 bigdaddy sshd[12843]: Disconnecting: Too many authentication failures for root [preauth]
    Feb 10 19:14:12 bigdaddy sshd[12843]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.73 user=root
    Feb 10 19:14:12 bigdaddy sshd[12843]: PAM service(sshd) ignoring max retries; 6 > 3
    Feb 10 19:14:26 bigdaddy sshd[13110]: Set /proc/self/oom_adj to 0
    Feb 10 19:14:26 bigdaddy sshd[13110]: refused connect from 61.160.215.73 (61.160.215.73)
    Feb 10 19:14:52 bigdaddy sshd[12898]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.73 user=root
    Feb 10 19:14:54 bigdaddy sshd[12898]: Failed password for root from 61.160.215.73 port 4973 ssh2
    Feb 10 19:15:11 bigdaddy sshd[12898]: last message repeated 5 times
    Feb 10 19:15:11 bigdaddy sshd[12898]: Disconnecting: Too many authentication failures for root [preauth]
    Feb 10 19:15:11 bigdaddy sshd[12898]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.73 user=root
    Feb 10 19:15:11 bigdaddy sshd[12898]: PAM service(sshd) ignoring max retries; 6 > 3
    Feb 10 19:15:15 bigdaddy sshd[13311]: Set /proc/self/oom_adj to 0
    Feb 10 19:15:15 bigdaddy sshd[13311]: refused connect from 61.160.215.73 (61.160.215.73)


Comments

  • #2
    aidan_walsh
    Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


    The IP range is registered to Chinanet. Take from that what you will.


  • #3
    Blowfish
    Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    Automated, most definitely. I've seen it a bit, varying from bots/crawlers running from what seems to be cloud providers to Uni campuses to large businesses.

    I suppose simplest solution is just to block the entire IP block if you know you aren't ever going to be connecting from China.


  • #4
    Khannie
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Are the per-country IP ranges listed anywhere publicly?


  • #5
    [Deleted User]
    Posts: 0 [Deleted User]


    it's not so easy to block a country as IPv4 address were assigned intermittently meaning 1.1.0.0/16 and 1.3.0.0/16 could be China yet 1.2.0.0/16 could be assigned to me :)

    Some IPS/IDS solutions take care of this but if you want to do it manually - http://www.nirsoft.net/countryip/

    IPv6 won't have this issue :)


  • #6
    Khannie
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    That's the one. Thanks. :)

    I was more thinking of a hosts.allow file that only allows Irish IP's to connect. It's not perfect by any means, but it's not a bad start, either.


  • Advertisement
  • #7
    syklops
    Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Deleted User wrote: »
    it's not so easy to block a country as IPv4 address were assigned intermittently meaning 1.1.0.0/16 and 1.3.0.0/16 could be China yet 1.2.0.0/16 could be assigned to me :)

    Some IPS/IDS solutions take care of this but if you want to do it manually - http://www.nirsoft.net/countryip/

    IPv6 won't have this issue :)

    you could write a script to block Chinese hosts. Something like(its very quick and dirty)
    IP=$1
if [ `geoiplookup $IP | awk '{print $5}'` == "China" ]
then 
        echo "$IP" >> /etc/hosts.deny
else
        echo "Not chinese"
fi


  • #8
    [Deleted User]
    Posts: 0 [Deleted User]


    syklops wrote: »
    you could write a script to block Chinese hosts. Something like(its very quick and dirty)
    IP=$1
if [ `geoiplookup $IP | awk '{print $5}'` == "China" ]
then 
        echo "$IP" >> /etc/hosts.deny
else
        echo "Not chinese"
fi


    I need to start working with you more! :p


  • #9
    syklops
    Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Or if you want even more fun, install kippo and see what they plan on doing...


Advertisement