Tomáš Pospíšek's Notizblock
The default settings of fail2ban are to ban an IP if it incorrectly authenticates 5 times within 10 minutes.
We are seeing one bruteforcing attempt every 3 minutes. The IPs where the attempts are coming from are wideely distributed over the address space. However we do block IPs that try sustainedly.
Watching the log it feels like there is at least one actor that has access to a very large number of IPs that is continually bruteforcing us, that is aware of fail2ban's default settings and is scanning with a frequency that makes sure that he's flaying under the radar of fail2ban's default settings (5 attempts per 10min).
It's also interesting to see what happens when you report an IP:
- first you find out with whois who the IP belongs to
- get the abuse contact from there
- and write an email, reporting the IP
From: Tomas Pospisek
To: abuse@...
Subject: 192.168.0.1 bruteforcing SMTP auth
Hello,
the IP mentioned in the email subject has been bruteforcing SMTP auth on our server. I have blacklisted it.
2020-02-21 00:29:53 SMTP protocol error in "AUTH LOGIN" H=(UF2RIBjOt) [192.168.0.1] AUTH command used when not advertised
[...etc...]
Please let me know when you have stopped that IP from bruteforcing us so that I can remove it from the blacklist again.
Thanks,
*tGood citizens of the internet
| who | as | net | date | comment |
|---|---|---|---|---|
| greenserver.io | AS9009 | 45.133.116.0/24 | 2021-07-02 | terminated VPS and customer within a day |
Bad citizens of the internet
| who | as | net | date | comment |
|---|---|---|---|---|
| ovh.ca | AS16276 | 198.50.252.24/29 | 2021-07-02 | reply with arbitrary blueprint mail asking you to jump through some arbitrary process |
| quadranet.com | AS8100 | 104.129.0.0/18 | 2021-07-02 | reply with blueprint mail but no reply if action was taken |
| chinanet.cn.net | AS4134 | 104.129.0.0/18 | 2021-07-02 | no reply, spam contact jsabuse@189.cn bounces/is full |
| fastlink.net | AS46664 | 156.96.154.0/23 | 2021-07-16 | no reply |
| Viet Speet Ltd | AS135905 | 103.155.80.0/23 | 2021-07-09 | no reply |
| ehostidc.co.kr | AS45382 | 27.255.75.0/24 | 2021-07-09 | no reply |
| vietserver.vn | AS63737 | 103.167.90.0/23 | 2021-07-09 | no reply |
| microsoft.com | AS8075 | 40.124.0.0/16 | 2021-07-09 | reply with blueprint mail asking you to jump through some arbitrary process |
| hostglobal.plus | AS202306 | 109.237.100.0/22 | 2021-07-09 | no reply |
Tomáš Pospíšek, 2021-07-17
