... and who are they really?
I been playing with my first ever remote server which will end up as a public web sever someday. As I been told over and over by members VPS will do. (i was thinking dedicated). As a habit from my desktop experience I start off trying to capture the most frequent invaders IP’s. I track by range and added each to be block by pf.
http://centralops.net/co/DomainDossier.aspx?dom_whois=1&net_whois=1&dom_dns=1
One line with tell the story but here’s the complete list. In the end I hope someone could tell me what is going on and if there a better way to stop them all to never be seen again. It seems that the one call PONEY is the one that is giving new-comers multiple chances to get in, but they don’t! Same results even with the new version of sshguard, which is one of the reasons why I choose to replace it with the old version. .. sshguard-1.6.4_1
Here is the complete sshguard blacklist:
Here are all the IP’s being blocked by pf:
I forgot to jot-down all of block out quick. Thinking out-the-box I thought this might help. Could this be what is escalating the problem or is it doing anything useful from now into the future? PONEY is trying everything possible… why should not I?
Anyway, they just keep coming so I set some stronger variables in rc.conf. How do I tell pardon_min_interval and prescribe_interval to say ="Never-Again"? I’m not worried about locking myself out -- the VPS control panel is the way to recover.
Now after so many hours this is the bulk of what is trying to get in. Basically it all the same IP’s that should had already been blocked, but the same just keeps coming in:
1) I don’t have diffie-hellman whatever.
2) I have RSA key but I don’t know if it’s working. I always have to put password to access the server.
Sometime I think PONEY is part of sshguard or trying to do me a favor. For a minute on my way to believing it.
I been playing with my first ever remote server which will end up as a public web sever someday. As I been told over and over by members VPS will do. (i was thinking dedicated). As a habit from my desktop experience I start off trying to capture the most frequent invaders IP’s. I track by range and added each to be block by pf.
http://centralops.net/co/DomainDossier.aspx?dom_whois=1&net_whois=1&dom_dns=1
One line with tell the story but here’s the complete list. In the end I hope someone could tell me what is going on and if there a better way to stop them all to never be seen again. It seems that the one call PONEY is the one that is giving new-comers multiple chances to get in, but they don’t! Same results even with the new version of sshguard, which is one of the reasons why I choose to replace it with the old version. .. sshguard-1.6.4_1
Here is the complete sshguard blacklist:
Code:
1519580540|100|4|163.172.192.9
1519601699|100|4|175.208.140.113
1519612298|100|4|46.105.121.42
1519615091|100|4|186.46.90.101
1519631548|100|4|58.218.198.155
1519635658|100|4|217.61.5.246
1519726830|100|4|217.64.141.1
1519735236|100|4|116.52.12.242
1519827688|100|4|190.137.139.66
1519838869|100|4|196.216.8.110
1519839673|100|4|175.211.95.171
1519841180|100|4|179.228.242.120
1519842244|100|4|95.183.56.240
1519843000|100|4|51.255.166.189
1519845545|100|4|149.202.102.36
1519861273|100|4|23.105.70.110
1519874715|100|4|118.184.53.50
1519887392|100|4|38.89.136.12
1519999890|100|4|178.62.44.104
Code:
# RANGE
#.......................................................................#
block in quick on $_nic from 221.194.47.243 to any # China Unicom - HARD
block in quick on $_nic from 122.226.181.164 to any #
block in quick on $_nic from 163.172.192.9 to any # rev.poneytelecom.eu
block in quick on $_nic from 193.251.85.52 to any #
block in quick on $_nic from 212.83.179.97 to any #
block in quick on $_nic from 212.83.160.0 - 212.83.191.255 to any # jcraft–got or trying for
block in quick on $_nic from 195.154.0.0 - 195.154.127.255 to any # jcraft–keyboard and mouse
#.......................................................................#
#block in quick on $_nic from 5.101.40.0 - 5.101.40.255 to any # UNITEDPROTECTION-NET
#block in quick on $_nic from 35.192.0.0 - 35.207.255.255 to any # goo-content cloud bye bye SSH
#block in quick on $_nic from 41.83.74.216 - 41.83.75.255 to any # ADSL-pool
#block in quick on $_nic from 85.190.96.0 - 85.190.127.255 to any # neitherland-getinfo SSH
#block in quick on $_nic from 103.79.140.0 - 103.79.143.255 to any # vietnam SSH
#block in quick on $_nic from 112.112.0.0 - 112.115.255.255 to any # china-telco SSH
#block in quick on $_nic from 115.46.0.0 - 115.46.255.255 to any # china
#block in quick on $_nic from 115.238.244.0 - 115.238.245.255 to any # china
#block in quick on $_nic from 122.226.181.160 - 122.226.181.191 to any # china FAT – IP’s
#block in quick on $_nic from 153.122.0.0 - 153.123.255.255 to any # japan
#block in quick on $_nic from 163.0.0.0 - 163.255.255.255 to any # poney2-ERX-NETBLOCK
#block in quick on $_nic from 177.69.0.0 - 177.255.255.255 to any # DE telec
#block in quick on $_nic from 182.112.0.0 - 182.127.255.255 to any # china uni
#block in quick on $_nic from 203.162.246.96 - 203.162.245.127 to any # vietnam
#block in quick on $_nic from 209.152.160.0 - 209.152.191.255 to any # WebHostPlus telecom.eu
#block in quick on $_nic from 210.121.128.0 - 210.121.255.255 to any # korea
#block in quick on $_nic from 211.58.0.0 - 211.58.255.255 to any # h-master
#block in quick on $_nic from 219.154.0.0 - 219.157.255.255 to any # china-1
#block in quick on $_nic from 221.176.0.0 - 221.183.255.255 to any # china-mobile SSH
#block in quick on $_nic from 221.192.0.0 - 221.195.255.255 to any # china uni
#block in quick on $_nic from 122.226.181.160 - 122.226.181.191 to any # china
#block in quick on $_nic from 107.170.0.0 - 107.170.255.255 to any # persistence
#block in quick on $_nic from 200.109.128/17 to any # vietnam # CANTV Servicios, Venezuela 200.109.236.50
#block in quick on $_nic from 190.78/15 to any # de Argentina - speedy
block in quick on $_nic all
Code:
#.......................................................................#
block out quick on $_nic from 122.226.181.164 to any #
block out quick on $_nic from 163.172.192.9 to any # rev.poneytelecom.eu
block out quick on $_nic from 193.251.85.52 to any #
block out quick on $_nic from 212.83.179.97 to any #
block out quick on $_nic from 221.194.47.243 to any #
#.......................................................................#
Code:
sshguard_enable="YES"
sshguard_safety_thresh="3" # 3 strikes your out
sshguard_pardon_min_interval="2592000" # 30 days - lock out for 30 days
sshguard_prescribe_interval="86400" # 24 hours - retry within 24 hours
#sshguard_flags=""
1) I don’t have diffie-hellman whatever.
2) I have RSA key but I don’t know if it’s working. I always have to put password to access the server.
Code:
Mar 2 17:00:01 order newsyslog[22609]: logfile turned over due to size>100K
Mar 2 17:00:01 order sshguard[854]: Reloading rotated file /var/log/auth.log.
Mar 2 17:00:12 order sshd[22613]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:00:16 order sshd[22614]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:00:39 order sshd[22615]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:00:58 order sshd[22616]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:01:18 order sshd[22617]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:01:39 order sshd[22618]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:02:10 order sshd[22619]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:02:22 order sshd[22620]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:02:42 order sshd[22621]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:03:00 order sshd[22622]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:03:11 order sshd[22623]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:03:24 order sshd[22624]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:03:47 order sshd[22625]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:04:00 order sshd[22626]: warning: /etc/hosts.allow, line 2: can't verify hostname: getaddrinfo(212-83-179-97.rev.poneytelecom.eu, AF_INET) failed
Mar 2 17:04:00 order sshd[22626]: refused connect from 212.83.179.97 (212.83.179.97)
Mar 2 17:04:00 order sshd[22627]: warning: /etc/hosts.allow, line 2: can't verify hostname: getaddrinfo(212-83-179-97.rev.poneytelecom.eu, AF_INET) failed
Mar 2 17:04:00 order sshd[22627]: refused connect from 212.83.179.97 (212.83.179.97)
Mar 2 17:04:07 order sshd[22628]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:04:30 order sshd[22629]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:05:00 order sshd[22632]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:05:13 order sshd[22633]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:05:36 order sshd[22634]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:05:57 order sshd[22635]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:06:09 order sshd[22636]: Received disconnect from 122.226.181.167 port 52002:11: [preauth]
Mar 2 17:06:09 order sshd[22636]: Disconnected from 122.226.181.167 port 52002 [preauth]
Mar 2 17:06:18 order sshd[22638]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:06:39 order sshd[22639]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:06:59 order sshd[22640]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:07:31 order sshd[22641]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:07:40 order sshd[22642]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:08:02 order sshd[22643]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:08:23 order sshd[22644]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:08:45 order sshd[22645]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:09:06 order sshd[22646]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:09:27 order sshd[22647]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:09:50 order sshd[22648]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:10:18 order sshd[22651]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:10:30 order sshd[22652]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:10:53 order sshd[22653]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:11:13 order sshd[22657]: refused connect from 58.218.198.155 (58.218.198.155)
Etc …
Etc … AND SOMETIMES A BIG BLOCK OF THIS:
Etc …
Mar 2 18:32:03 order sshd[22875]: user NOUSER login class [preauth]
Mar 2 18:32:04 order sshd[22875]: Connection closed by invalid user admin 124.133.5.210 port 55342 [preauth]
Mar 2 18:36:42 order sshd[22882]: Received disconnect from 124.117.241.152 port 25869:11: Bye Bye [preauth]
Mar 2 18:36:42 order sshd[22882]: Disconnected from 124.117.241.152 port 25869 [preauth]
Mar 2 18:36:48 order sshd[22883]: Address 14.231.252.56 maps to static.vnpt.vn, but this does not map back to the address.
Mar 2 18:36:48 order sshd[22883]: Invalid user admin from 14.231.252.56 port 50185
Mar 2 18:36:48 order sshd[22883]: user NOUSER login class [preauth]
Mar 2 18:36:49 order sshd[22883]: Connection closed by invalid user admin 14.231.252.56 port 50185 [preauth]
Mar 2 18:36:55 order sshd[22886]: reverse mapping checking getaddrinfo for 201-148-117-91.tvactiete.com.br [201.148.117.91] failed.
Mar 2 18:36:55 order sshd[22886]: Invalid user admin from 201.148.117.91 port 32919
Mar 2 18:36:55 order sshd[22886]: user NOUSER login class [preauth]
Mar 2 18:36:56 order sshd[22886]: Connection closed by invalid user admin 201.148.117.91 port 32919 [preauth]
Etc …
Etc … MORE PONEY – PONEY - PONEY
Etc …
Mar 2 17:49:35 order sshd[22793]: warning: /etc/hosts.allow, line 2: can't verify hostname: getaddrinfo(163-172-192-9.rev.poneytelecom.eu, AF_INET) failed
Mar 2 17:49:35 order sshd[22793]: refused connect from 163.172.192.9 (163.172.192.9)
Mar 2 17:49:36 order sshd[22794]: warning: /etc/hosts.allow, line 2: can't verify hostname: getaddrinfo(163-172-192-9.rev.poneytelecom.eu, AF_INET) failed
Mar 2 17:49:36 order sshd[22794]: refused connect from 163.172.192.9 (163.172.192.9)
Mar 2 17:49:43 order sshd[22795]: refused connect from 58.218.198.155 (58.218.198.155)
Mar 2 17:50:05 order sshd[22798]: refused connect from 58.218.198.155 (58.218.198.155)
THIS IS ME LOGGING IN:
Mar 2 17:50:50 order sshd[22799]: user MAX-21 login class [preauth]
Mar 2 17:50:50 order last message repeated 2 times
Mar 2 17:51:09 order sshd[22799]: Accepted keyboard-interactive/pam for MAX-21 from 67.162.0.144 port 10101 ssh2
Mar 2 17:51:23 order su: MAX-21 to root on /dev/pts/0
THIS IS WHAT FOLLOWS BUT IT IS NOT ME or my IP(s):
Mar 2 17:51:41 order sshd[22823]: Received disconnect from 121.18.238.39 port 46030:11: [preauth]
Mar 2 17:51:41 order sshd[22823]: Disconnected from 121.18.238.39 port 46030 [preauth]
Mar 2 17:55:14 order sshd[22832]: warning: /etc/hosts.allow, line 2: can't verify hostname: getaddrinfo(212-83-179-97.rev.poneytelecom.eu, AF_INET) failed
Mar 2 17:55:14 order sshd[22832]: refused connect from 212.83.179.97 (212.83.179.97)
Mar 2 17:55:14 order sshd[22831]: warning: /etc/hosts.allow, line 2: can't verify hostname: getaddrinfo(212-83-179-97.rev.poneytelecom.eu, AF_INET) failed
Mar 2 17:55:14 order sshd[22831]: refused connect from 212.83.179.97 (212.83.179.97)
Mar 2 18:12:03 order sshd[22847]: Unable to negotiate with 103.79.143.62 port 60773: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Mar 2 18:14:53 order sshd[22852]: warning: /etc/hosts.allow, line 2: can't verify hostname: getaddrinfo(163-172-192-9.rev.poneytelecom.eu, AF_INET) failed
Mar 2 18:14:53 order sshd[22852]: refused connect from 163.172.192.9 (163.172.192.9)
Sometime I think PONEY is part of sshguard or trying to do me a favor. For a minute on my way to believing it.
Last edited: