Attempted login from two IP addresses in same range

10-02-2014 09:00PM #1

So most people here will know you put a server on the web and it's going to be subjected to scanning/brute-forcing.

However something I haven't seen before (personally) is somebody attempting to log into my server from two different IP addresses in the same range. Seems a little more interesting, has anybody seen this before? Wondering if it's a little more targeted or just an automated system using two external IP addresses? Maybe its just strange for me as it's the first time I noticed it.... should probably check older logs to see if it's happened before

Feb 10 19:11:58 bigdaddy sshd[12502]: Connection from 61.160.215.33 port 1831
Feb 10 19:12:06 bigdaddy sshd[12502]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.33 user=root
Feb 10 19:12:08 bigdaddy sshd[12502]: Failed password for root from 61.160.215.33 port 1831 ssh2
Feb 10 19:12:20 bigdaddy sshd[12502]: last message repeated 5 times
Feb 10 19:12:20 bigdaddy sshd[12502]: Disconnecting: Too many authentication failures for root [preauth]
Feb 10 19:12:20 bigdaddy sshd[12502]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.33 user=root
Feb 10 19:12:20 bigdaddy sshd[12502]: PAM service(sshd) ignoring max retries; 6 > 3
Feb 10 19:12:20 bigdaddy sshd[12597]: Set /proc/self/oom_adj to 0
Feb 10 19:12:20 bigdaddy sshd[12597]: Connection from 61.160.215.33 port 2761
Feb 10 19:12:28 bigdaddy sshd[12597]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.33 user=root
Feb 10 19:12:29 bigdaddy sshd[12597]: Failed password for root from 61.160.215.33 port 2761 ssh2
Feb 10 19:12:40 bigdaddy sshd[12597]: last message repeated 4 times
Feb 10 19:12:40 bigdaddy sshd[12691]: Set /proc/self/oom_adj to 0
Feb 10 19:12:40 bigdaddy sshd[12691]: Connection from 61.160.215.73 port 4089
Feb 10 19:12:40 bigdaddy sshd[12597]: Failed password for root from 61.160.215.33 port 2761 ssh2
Feb 10 19:12:40 bigdaddy sshd[12597]: Disconnecting: Too many authentication failures for root [preauth]
Feb 10 19:12:40 bigdaddy sshd[12597]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.33 user=root
Feb 10 19:12:40 bigdaddy sshd[12597]: PAM service(sshd) ignoring max retries; 6 > 3
Feb 10 19:12:41 bigdaddy sshd[12698]: Set /proc/self/oom_adj to 0
Feb 10 19:12:41 bigdaddy sshd[12698]: refused connect from 61.160.215.33 (61.160.215.33)
Feb 10 19:12:46 bigdaddy sshd[12716]: Set /proc/self/oom_adj to 0
Feb 10 19:12:46 bigdaddy sshd[12716]: refused connect from 61.160.215.33 (61.160.215.33)
Feb 10 19:12:56 bigdaddy sshd[12691]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.73 user=root
Feb 10 19:12:58 bigdaddy sshd[12691]: Failed password for root from 61.160.215.73 port 4089 ssh2
Feb 10 19:13:17 bigdaddy sshd[12691]: last message repeated 5 times
Feb 10 19:13:17 bigdaddy sshd[12691]: Disconnecting: Too many authentication failures for root [preauth]
Feb 10 19:13:17 bigdaddy sshd[12691]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.73 user=root
Feb 10 19:13:17 bigdaddy sshd[12691]: PAM service(sshd) ignoring max retries; 6 > 3
Feb 10 19:13:18 bigdaddy sshd[12843]: Set /proc/self/oom_adj to 0
Feb 10 19:13:18 bigdaddy sshd[12843]: Connection from 61.160.215.73 port 2296
Feb 10 19:13:28 bigdaddy sshd[12843]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.73 user=root
Feb 10 19:13:30 bigdaddy sshd[12843]: Failed password for root from 61.160.215.73 port 2296 ssh2
Feb 10 19:13:35 bigdaddy sshd[12843]: Failed password for root from 61.160.215.73 port 2296 ssh2
Feb 10 19:13:35 bigdaddy sshd[12898]: Set /proc/self/oom_adj to 0
Feb 10 19:13:35 bigdaddy sshd[12898]: Connection from 61.160.215.73 port 4973
Feb 10 19:13:39 bigdaddy sshd[12843]: Failed password for root from 61.160.215.73 port 2296 ssh2
Feb 10 19:14:12 bigdaddy sshd[12843]: last message repeated 3 times
Feb 10 19:14:12 bigdaddy sshd[12843]: Disconnecting: Too many authentication failures for root [preauth]
Feb 10 19:14:12 bigdaddy sshd[12843]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.73 user=root
Feb 10 19:14:12 bigdaddy sshd[12843]: PAM service(sshd) ignoring max retries; 6 > 3
Feb 10 19:14:26 bigdaddy sshd[13110]: Set /proc/self/oom_adj to 0
Feb 10 19:14:26 bigdaddy sshd[13110]: refused connect from 61.160.215.73 (61.160.215.73)
Feb 10 19:14:52 bigdaddy sshd[12898]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.73 user=root
Feb 10 19:14:54 bigdaddy sshd[12898]: Failed password for root from 61.160.215.73 port 4973 ssh2
Feb 10 19:15:11 bigdaddy sshd[12898]: last message repeated 5 times
Feb 10 19:15:11 bigdaddy sshd[12898]: Disconnecting: Too many authentication failures for root [preauth]
Feb 10 19:15:11 bigdaddy sshd[12898]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.215.73 user=root
Feb 10 19:15:11 bigdaddy sshd[12898]: PAM service(sshd) ignoring max retries; 6 > 3
Feb 10 19:15:15 bigdaddy sshd[13311]: Set /proc/self/oom_adj to 0
Feb 10 19:15:15 bigdaddy sshd[13311]: refused connect from 61.160.215.73 (61.160.215.73)

aidan_walsh · 10-02-2014 09:18PM

The IP range is registered to Chinanet. Take from that what you will.

Blowfish · 10-02-2014 09:20PM

Automated, most definitely. I've seen it a bit, varying from bots/crawlers running from what seems to be cloud providers to Uni campuses to large businesses.

I suppose simplest solution is just to block the entire IP block if you know you aren't ever going to be connecting from China.

Khannie · 10-02-2014 09:59PM

Are the per-country IP ranges listed anywhere publicly?

10-02-2014 10:08PM

it's not so easy to block a country as IPv4 address were assigned intermittently meaning 1.1.0.0/16 and 1.3.0.0/16 could be China yet 1.2.0.0/16 could be assigned to me

Some IPS/IDS solutions take care of this but if you want to do it manually - http://www.nirsoft.net/countryip/

IPv6 won't have this issue

Khannie · 10-02-2014 10:19PM

That's the one. Thanks.

I was more thinking of a hosts.allow file that only allows Irish IP's to connect. It's not perfect by any means, but it's not a bad start, either.

syklops · 10-02-2014 10:23PM

Deleted User wrote: »

it's not so easy to block a country as IPv4 address were assigned intermittently meaning 1.1.0.0/16 and 1.3.0.0/16 could be China yet 1.2.0.0/16 could be assigned to me

Some IPS/IDS solutions take care of this but if you want to do it manually - http://www.nirsoft.net/countryip/

IPv6 won't have this issue

you could write a script to block Chinese hosts. Something like(its very quick and dirty)

IP=$1
if [ `geoiplookup $IP | awk '{print $5}'` == "China" ]
then 
        echo "$IP" >> /etc/hosts.deny
else
        echo "Not chinese"
fi

10-02-2014 10:28PM

syklops wrote: »
you could write a script to block Chinese hosts. Something like(its very quick and dirty)
IP=$1
if [ `geoiplookup $IP | awk '{print $5}'` == "China" ]
then 
        echo "$IP" >> /etc/hosts.deny
else
        echo "Not chinese"
fi

I need to start working with you more!

syklops · 10-02-2014 10:35PM

Or if you want even more fun, install kippo and see what they plan on doing...

Attempted login from two IP addresses in same range

Comments