LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Someone in Ukraine is attacking me
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
Page 2 of 2 1 2
  Search this Thread
Old 04-02-2022, 02:33 PM   #16
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 737

Rep: Reputation: 78

Perhaps china has some command & control (or just a VM) servers in Ukraine, or maybe Russia does, or maybe the US govt does, or even perhaps a 5yr old in Norway.

The actual location of the people-source will be astoundingly difficult to ascertain. Blocking via geoIP (or IANA info) will get you a block, that's it.
 
1 members found this post helpful.
Old 09-04-2022, 08:12 AM   #17
root:root
LQ Newbie
 
Registered: Sep 2022
Posts: 1

Rep: Reputation: 0
more hammering
Also got mail server hammered with some random usernames from the same IP block. ipinfo.io reports it as not a proxy or hosted, so it should be traceable? Reported to the spaceships abuse and got a reply they forwarded it to their NOC.

ipinfo.io:
Code:
{
  "vpn": false,
  "proxy": false,
  "tor": false,
  "relay": false,
  "hosting": false,
  "service": ""
}
Code:
2022/09/03 14:37:37 [info] 11#11: *14117 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "pla@<DOMAIN_REMOVED>"
2022/09/03 14:37:41 [info] 11#11: *14122 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "008@<DOMAIN_REMOVED>"
2022/09/03 14:37:44 [info] 11#11: *14126 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "bib@<DOMAIN_REMOVED>"
2022/09/03 14:37:47 [info] 11#11: *14133 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "serwis@<DOMAIN_REMOVED>"
2022/09/03 14:37:50 [info] 11#11: *14137 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "pharm@<DOMAIN_REMOVED>"
2022/09/03 14:37:53 [info] 11#11: *14143 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "hsc@<DOMAIN_REMOVED>"
2022/09/03 14:37:56 [info] 11#11: *14147 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "drift@<DOMAIN_REMOVED>"
2022/09/03 14:37:59 [info] 11#11: *14151 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "media1@<DOMAIN_REMOVED>"
2022/09/03 14:38:02 [info] 11#11: *14155 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "sales3@<DOMAIN_REMOVED>"
2022/09/03 14:38:04 [info] 11#11: *14159 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "ast@<DOMAIN_REMOVED>"
2022/09/03 14:38:09 [info] 11#11: *14163 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "bot@<DOMAIN_REMOVED>"
2022/09/03 14:38:12 [info] 11#11: *14182 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "stampanti@<DOMAIN_REMOVED>"
2022/09/03 14:38:15 [info] 11#11: *14189 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "mmendez@<DOMAIN_REMOVED>"
2022/09/03 14:38:18 [info] 11#11: *14190 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "dore@<DOMAIN_REMOVED>"
2022/09/03 14:38:21 [info] 11#11: *14194 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "rain@<DOMAIN_REMOVED>"
2022/09/03 14:38:24 [info] 11#11: *14200 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "muc@<DOMAIN_REMOVED>"
2022/09/03 14:38:27 [info] 11#11: *14204 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "dva@<DOMAIN_REMOVED>"
2022/09/03 14:38:30 [info] 11#11: *14208 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "f@<DOMAIN_REMOVED>"
2022/09/03 14:38:33 [info] 11#11: *14212 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "surv@<DOMAIN_REMOVED>"
2022/09/03 14:38:36 [info] 11#11: *14216 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "nugget@<DOMAIN_REMOVED>"
2022/09/03 14:38:39 [info] 11#11: *14220 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "carrier@<DOMAIN_REMOVED>"
2022/09/03 14:38:42 [info] 11#11: *14224 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "ads3@<DOMAIN_REMOVED>"
2022/09/03 14:38:45 [info] 11#11: *14228 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "trebor@<DOMAIN_REMOVED>"
2022/09/03 14:38:48 [info] 11#11: *14232 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "Rimma@<DOMAIN_REMOVED>"
2022/09/03 14:38:51 [info] 11#11: *14236 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "venus@<DOMAIN_REMOVED>"
2022/09/03 14:38:54 [info] 11#11: *14242 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "adminweb@<DOMAIN_REMOVED>"
2022/09/03 14:38:58 [info] 11#11: *14246 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "cfnlaunchpadcanarytes@<DOMAIN_REMOVED>"
2022/09/03 14:39:01 [info] 11#11: *14250 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "support1@<DOMAIN_REMOVED>"
2022/09/03 14:39:03 [info] 11#11: *14254 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "ns11@<DOMAIN_REMOVED>"
2022/09/03 14:39:07 [info] 11#11: *14258 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "cerbere@<DOMAIN_REMOVED>"
2022/09/03 14:39:10 [info] 11#11: *14262 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "guests@<DOMAIN_REMOVED>"
2022/09/03 14:39:13 [info] 11#11: *14266 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "asdfghjkl;'@<DOMAIN_REMOVED>"
2022/09/03 14:39:16 [info] 11#11: *14270 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "us@<DOMAIN_REMOVED>"
2022/09/03 14:39:19 [info] 11#11: *14274 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "jeckle@<DOMAIN_REMOVED>"
2022/09/03 14:39:22 [info] 11#11: *14280 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "anonymous@<DOMAIN_REMOVED>"
2022/09/03 14:39:25 [info] 11#11: *14284 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "design3@<DOMAIN_REMOVED>"
2022/09/03 14:39:28 [info] 11#11: *14288 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "Mail@<DOMAIN_REMOVED>"
2022/09/03 14:39:31 [info] 11#11: *14292 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "nissan@<DOMAIN_REMOVED>"
2022/09/03 14:39:34 [info] 11#11: *14296 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "veeam@<DOMAIN_REMOVED>"
2022/09/03 14:39:37 [info] 11#11: *14300 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "gazeta@<DOMAIN_REMOVED>"
2022/09/03 14:39:40 [info] 11#11: *14304 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "protocollo@<DOMAIN_REMOVED>"
2022/09/03 14:39:44 [info] 11#11: *14308 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "debora@<DOMAIN_REMOVED>"
2022/09/03 14:39:46 [info] 11#11: *14312 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "mail05@<DOMAIN_REMOVED>"
2022/09/03 14:39:49 [info] 11#11: *14316 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "error@<DOMAIN_REMOVED>"
2022/09/03 14:39:53 [info] 11#11: *14322 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "Nanan@<DOMAIN_REMOVED>"
2022/09/03 14:39:56 [info] 11#11: *14326 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "erover@<DOMAIN_REMOVED>"
2022/09/03 14:39:59 [info] 11#11: *14330 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "keiri@<DOMAIN_REMOVED>"
2022/09/03 14:40:02 [info] 11#11: *14334 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "zfs@<DOMAIN_REMOVED>"
2022/09/03 14:40:05 [info] 11#11: *14338 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "webportal@<DOMAIN_REMOVED>"
2022/09/03 14:40:08 [info] 11#11: *14342 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "thor@<DOMAIN_REMOVED>"
2022/09/03 14:40:11 [info] 11#11: *14346 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "utl@<DOMAIN_REMOVED>"
2022/09/03 14:40:14 [info] 11#11: *14350 client login failed: "Authentication credentials invalid" while in http auth state, client: 5.34.207.46, server: 0.0.0.0:25, login: "rikei@<DOMAIN_REMOVED>"
 
Old 10-06-2022, 09:16 AM   #18
rnturn
Senior Member
 
Registered: Jan 2003
Location: Illinois (SW Chicago 'burbs)
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,801

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
Quote:
Originally Posted by root:root View Post
Also got mail server hammered with some random usernames from the same IP block.
I get that from time to time. Got hit pretty hard a 3-4 years ago with that stuff (worst case: 100K+ junk emails in one day). Firewall rules (how I deal with relay attempts) and Postfix configuration is your friend. There is plenty of information out there on how to keep the spam from inundating your system(s).
 
Old 12-03-2022, 07:42 PM   #19
Aeolustw
Member
 
Registered: Jun 2009
Location: Taiwan
Distribution: Linux Debian (or CentOS)
Posts: 57

Rep: Reputation: 2
Quote:
Originally Posted by lucmove View Post
Someone in Kiev has been hammering my freshly installed email server.

Code:
Mar 23 23:46:56 server postfix/smtpd[10867]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:46:57 server postfix/smtpd[10865]: connect from unknown[5.34.207.123]
Mar 23 23:46:57 server postfix/smtpd[10860]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:01 server postfix/smtpd[10867]: connect from unknown[5.34.207.123]
Mar 23 23:47:05 server postfix/smtpd[10859]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: Connection lost to authentication server
Mar 23 23:47:05 server postfix/smtpd[10863]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: Connection lost to authentication server
Mar 23 23:47:05 server postfix/smtpd[10860]: connect from unknown[5.34.207.123]
Mar 23 23:47:06 server postfix/smtpd[10861]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: Connection lost to authentication server
Mar 23 23:47:06 server postfix/smtpd[10863]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:07 server postfix/smtpd[10861]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:10 server postfix/smtpd[10859]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:10 server postfix/smtpd[10856]: connect from unknown[5.34.207.123]
Mar 23 23:47:10 server postfix/smtpd[10865]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: Connection lost to authentication server
Mar 23 23:47:11 server postfix/smtpd[10865]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:12 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Mar 23 23:47:14 server postfix/smtpd[10857]: connect from unknown[5.34.207.123]
Mar 23 23:47:17 server postfix/smtpd[10867]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: Connection lost to authentication server
Mar 23 23:47:19 server postfix/smtpd[10855]: connect from unknown[5.34.207.123]
Mar 23 23:47:20 server postfix/smtpd[10860]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:20 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Mar 23 23:47:20 server postfix/smtpd[10867]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:22 server postfix/smtpd[10860]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:24 server postfix/smtpd[10861]: connect from unknown[5.34.207.123]
Mar 23 23:47:26 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Mar 23 23:47:27 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Mar 23 23:47:29 server postfix/smtpd[10857]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:29 server postfix/smtpd[10863]: connect from unknown[5.34.207.123]
Mar 23 23:47:30 server postfix/smtpd[10857]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:31 server postfix/smtpd[10856]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:32 server postfix/smtpd[10856]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:33 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Mar 23 23:47:33 server postfix/smtpd[10865]: connect from unknown[5.34.207.123]
Mar 23 23:47:37 server postfix/smtpd[10855]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:37 server postfix/smtpd[10860]: connect from unknown[5.34.207.123]
Mar 23 23:47:38 server postfix/smtpd[10861]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:38 server postfix/smtpd[10861]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:39 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
Mar 23 23:47:39 server postfix/smtpd[10855]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:42 server postfix/smtpd[10862]: connect from unknown[5.34.207.123]
Mar 23 23:47:47 server postfix/smtpd[10861]: connect from unknown[5.34.207.123]
Mar 23 23:47:48 server postfix/smtpd[10863]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:50 server postfix/smtpd[10863]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:52 server postfix/smtpd[10855]: connect from unknown[5.34.207.123]
Mar 23 23:47:53 server postfix/smtpd[10865]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 23 23:47:53 server postfix/smtpd[10865]: disconnect from unknown[5.34.207.123] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Mar 23 23:47:56 server postfix/smtpd[10863]: connect from unknown[5.34.207.123]
Mar 23 23:47:58 server postfix/smtpd[10862]: warning: unknown[5.34.207.123]: SASL LOGIN authentication failed: Connection lost to authentication server

'Whois' says that IP is in Kiev, Ukraine. There is an email for abuse. Should I ever bother to report these things?
I think it's important what hackers had done, wherever they are from.
They are like virus, always try to attack you, if you are weak, you will be down.
So be strong your server like a still castle anytime,especially you install your own server.

If you want to ban them by Fail2ban,these are my codes.

Code:
failregex = ^.*\[<HOST>\].*SASL LOGIN authentication failed.*
My server syslog:::
Quote:
Nov 13 01:52:17 ipb postfix/smtpd[138531]: warning: unknown[103.99.1.230]: SASL LOGIN authentication failed: authentication failure
Nov 13 19:12:07 ipb postfix/smtpd[773263]: warning: unknown[193.56.29.158]: SASL LOGIN authentication failed: authentication failure
Nov 13 19:31:19 ipb postfix/smtpd[781510]: warning: unknown[103.151.125.9]: SASL LOGIN authentication failed: authentication failure
Nov 15 02:35:43 ipb postfix/smtpd[2537217]: warning: unknown[103.117.220.68]: SASL LOGIN authentication failed: authentication failure
Nov 15 20:23:14 ipb postfix/smtpd[1739498]: warning: unknown[103.151.125.9]: SASL LOGIN authentication failed: authentication failure
Nov 18 22:13:01 ipb postfix/smtpd[611459]: warning: unknown[103.151.125.9]: SASL LOGIN authentication failed: authentication failure
Nov 19 14:44:43 ipb postfix/smtpd[4122349]: warning: vmi1087061.contaboserver.net[38.242.134.154]: SASL LOGIN authentication failed: authentication failure
Nov 19 21:30:33 ipb postfix/smtpd[1444666]: warning: unknown[103.114.104.92]: SASL LOGIN authentication failed: authentication failure
Nov 21 23:45:56 ipb postfix/smtpd[3929030]: warning: unknown[103.151.125.9]: SASL LOGIN authentication failed: authentication failure
Nov 22 22:40:10 ipb postfix/smtpd[3693727]: warning: unknown[103.114.104.92]: SASL LOGIN authentication failed: authentication failure
Nov 23 00:02:16 ipb postfix/smtpd[3869222]: warning: unknown[103.151.125.9]: SASL LOGIN authentication failed: authentication failure
Nov 24 00:20:48 ipb postfix/smtpd[3817014]: warning: unknown[103.151.125.9]: SASL LOGIN authentication failed: authentication failure
Nov 24 23:14:20 ipb postfix/smtpd[3468993]: warning: unknown[103.114.104.92]: SASL LOGIN authentication failed: authentication failure
Nov 26 01:34:31 ipb postfix/smtpd[268942]: warning: unknown[103.151.125.9]: SASL LOGIN authentication failed: authentication failure
Nov 27 01:48:01 ipb postfix/smtpd[868902]: warning: unknown[103.151.125.9]: SASL LOGIN authentication failed: authentication failure
Nov 30 01:15:57 ipb postfix/smtpd[4113775]: warning: unknown[103.151.125.9]: SASL LOGIN authentication failed: authentication failure
Dec 1 03:11:40 ipb postfix/smtpd[1173712]: warning: unknown[103.99.1.230]: SASL LOGIN authentication failed: authentication failure
Dec 2 01:54:49 ipb postfix/smtpd[1611816]: warning: unknown[103.151.125.9]: SASL LOGIN authentication failed: authentication failure
Dec 2 03:26:12 ipb postfix/smtpd[1933236]: warning: unknown[103.99.1.230]: SASL LOGIN authentication failed: authentication failure
Dec 4 03:06:46 ipb postfix/smtpd[1631332]: warning: unknown[103.151.125.9]: SASL LOGIN authentication failed: authentication failure
My Fail2ban log for the last one (Dec 4 03:06:46):::
Quote:
2022-12-04 03:06:46,530 fail2ban.filter [716]: INFO [your_filter] Found 103.151.125.9 - 2022-12-04 03:06:46
2022-12-04 03:06:46,566 fail2ban.filter [716]: INFO [your_filter] Found 103.151.125.9 - 2022-12-04 03:06:46
2022-12-04 03:06:46,748 fail2ban.actions [716]: NOTICE [your_filter] Ban 103.151.125.9
2022-12-04 03:15:06,782 fail2ban.filter [716]: INFO [your_filter] Found 103.151.125.9 - 2022-12-04 03:15:06
2022-12-04 03:15:07,388 fail2ban.actions [716]: WARNING [your_filter] 103.151.125.9 already banned
Last edited by Aeolustw; 12-03-2022 at 09:16 PM.
 
1 members found this post helpful.
Old 12-06-2022, 12:53 PM   #20
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 737

Rep: Reputation: 78
103.114.104.0/22 is arin block assigned to vnnic.vn (Viet Nam)


Small block 5.34.207.0/24 Assigned to SpaceshipNetworks
https://search.arin.net/rdap/?query=5.34.207.123


Does appear to be IP in Ukraine (https://scamalytics.com/ip/isp/spaceshipnetworks-ltd), but this does not ID the C2.
If the IP is illustrating nefarious behavior, then report it to ARIN.

The goal is to ID the C2.
 
Old 12-06-2022, 02:36 PM   #21
wpeckham
LQ Guru
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS,Manjaro
Posts: 5,623

Rep: Reputation: 2695Reputation: 2695Reputation: 2695Reputation: 2695Reputation: 2695Reputation: 2695Reputation: 2695Reputation: 2695Reputation: 2695Reputation: 2695Reputation: 2695
Subnet and location data is generally not complete in WHOIS. The real location of the source IP address may be very different than KIEV, it might even not be in Ukraine!

I have noticed threat activity seeming to be from cities known to be without power after shelling. This would lead me to believe that we cannot trust that source information to any great level of confidence.

I would allow FAIL2BAN to detect threat attempts that are clearly NOT form existing clients, and add them to your block list.
 
Old 12-07-2022, 04:38 AM   #22
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,475

Rep: Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553
A service such as MaxMind.com is generally a much more reliable way of finding where an IP is and which service provider it belongs to. They allow a small number of free lookups.

I also have the paid service to check on more accurate location / proxy / VPN detection for a couple of forum registration projects.
 
Old 12-16-2022, 08:59 PM   #23
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 737

Rep: Reputation: 78
That IP in Ukraine attacking you, is your neighbor using Kali.
 
Old 12-17-2022, 07:48 AM   #24
teckk
LQ Guru
 
Registered: Oct 2004
Distribution: Arch
Posts: 5,137
Blog Entries: 6

Rep: Reputation: 1826Reputation: 1826Reputation: 1826Reputation: 1826Reputation: 1826Reputation: 1826Reputation: 1826Reputation: 1826Reputation: 1826Reputation: 1826Reputation: 1826
https://www.abuseipdb.com/check/103.151.125.9
https://www.abuseipdb.com/check/5.34.207.123
 
  


Reply
Page 2 of 2 1 2



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Someone is attacking my server everyday and I really don't know what to do duzap Linux - Security 7 07-29-2009 02:40 PM
Someone attacking my SSHd what should I do? newtommy Linux - Security 22 02-16-2008 03:51 PM
From Ukraine with respect to LQ comunity Ukrainian Dreamer LinuxQuestions.org Member Intro 4 11-16-2007 05:31 AM
LXer: Luxoft Opens Second Ukraine Office to Expand Near Shore Delivery ... LXer Syndicated Linux News 0 07-11-2006 09:33 AM
Hello from Ukraine rtg LinuxQuestions.org Member Intro 2 09-02-2005 03:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:34 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration