[ale] [OT] Chinese brute-force network?

Dustin Strickland dustin.h.strickland at gmail.com
Sat May 31 14:00:28 EDT 2014


> zgrep -c 116.10.191 /var/log/auth*
> /var/log/auth.log:30666
> /var/log/auth.log.1.gz:54753
> /var/log/auth.log.2.gz:36340
> /var/log/auth.log.3.gz:58485
> /var/log/auth.log.4.gz:36654

Jesus, that's quite a few attempts... Anyway, thanks for the tips,
everybody. I was considering running Fail2ban on my web-facing machine,
but I haven't gotten around to installing and configuring it because
I don't have anything of much importance on it. It's got
reasonable security, anyway -- I know what people think about
password-based authentication, but my shortest password on that machine
is around 30-35 characters so I'm not too worried about anybody
accidentally finding it without some warning. Maybe I should set up a
honeypot - I kind of like watching the trends in who's trying to get in
to the machine.

My main concern was that the attacks weren't coming from a single
source, but from a range of IPs. And I can't find anything about the
ISP that owns these adresses, though the name Chinanet-GX appears a few
times. Is this common? And what exactly is this? Virus-infested PCs, or
something a little more sinister?

I did a dirty nmap of the range. If anyone cares to look at it, I'll
post it.

On Fri, 30 May 2014 14:24:24 -0400
Bob Toxen <transam at verysecurelinux.com> wrote:

> Dustin,
> 
> Seems to be a serious problem dating back to 04/27/2014:
> 
> zgrep -c 116.10.191 /var/log/auth*
> /var/log/auth.log:30666
> /var/log/auth.log.1.gz:54753
> /var/log/auth.log.2.gz:36340
> /var/log/auth.log.3.gz:58485
> /var/log/auth.log.4.gz:36654
> 
> We blocked it with Fail2Ban.  (We also have other protections.)  I've
> now added something similar to the following IP Tables rules:
> 
> /usr/sbin/iptables -I INPUT   1 -s 116.10.191.0/24 -j DROP
> #hacker-extreme-brute-Chinese /usr/sbin/iptables -I FORWARD 1 -s
> 116.10.191.0/24 -j DROP
> #hacker-extreme-brute-Chinese /usr/sbin/iptables -I INPUT   2 -s
> 116.10.191.0/24 -j LOG
> #hacker-extreme-brute-Chinese /usr/sbin/iptables -I FORWARD 2 -s
> 116.10.191.0/24 -j LOG  #hacker-extreme-brute-Chinese
> 
> Bob
> 
> On Thu, May 29, 2014 at 04:03:17PM -0400, Dustin Strickland wrote:
> > I usuallly don't do this, but I feel oddly compelled to ask. Over
> > the past 3 days(and perhaps longer than that, but my logs were
> > wiped on a reboot) I've been getting failed SSH login attempts in
> > my logs from a bunch of different IPs in the range
> > 116.10.191.1-254. I thought this was really unusual; typically,
> > you'll get a few attempts over the course of 15 minutes to a few
> > hours from ONE IP, but this has been going on steady for days.
> > After researching a bit to try to find who owns this network, I
> > found this:
> > http://bannedhackersips.blogspot.com/2014/05/fail2ban-ssh-banned-11610191211_7510.html
> > 
> > `grep 116.10.191. /var/log/auth.log -c` returns 2920. Can you guys
> > check your logs and post the results(and specultation)? Something
> > isn't right about this, I think.
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


More information about the Ale mailing list