[ale] [OT] Chinese brute-force network?

Ben Coleman oloryn at benshome.net
Thu May 29 23:19:03 EDT 2014


On 5/29/2014 16:03, Dustin Strickland wrote:
> I usuallly don't do this, but I feel oddly compelled to ask. Over the
> past 3 days(and perhaps longer than that, but my logs were wiped on a
> reboot) I've been getting failed SSH login attempts in my logs from a
> bunch of different IPs in the range 116.10.191.1-254.

Yeah, I've noticed.  I've just finished moving from denyhosts to
fail2ban for this, and let fail2ban send me the emails with whois while
I'm getting used to fail2ban.  What I've noticed in looking over those
emails is that the vast majority of ip addresses that fail2ban blocks
for ssh brute-forcing are in China (off of the top of my head, I'd say
90%, but I haven't checked the numbers).

Just today I went ahead and firewalled the most obnoxious blocks.  My
current China block list:

61.174.48.0/21
115.239.248.0/21
116.8.0.0/14
220.175.0.0/16
220.176.0.0/16
220.177.0.0/16
222.184.0.0/13

Ben
-- 
Ben Coleman oloryn at benshome.net | For the wise man, doing right trumps
http://oloryn.benshome.net/     | looking right.  For the fool, looking
Amateur Radio NJ8J              | right trumps doing right.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://mail.ale.org/pipermail/ale/attachments/20140529/95748e42/attachment.sig>


More information about the Ale mailing list