Blocking brute forcer with multiple IPs in range

A few weeks ago, I allowed my Linux Server to be connected from the internet for development purposes. My networking knowledge is quite basic. Following some guidelines on securing Linux servers, I have installed Fail2Ban and I also disabled root logins from SSH.

Currently, I am receiving tons of emails from Fail2Ban about a few IPs within a range that keeps getting blocked. I have max retry set to 3 and a grace time of 60 seconds, block is permanent. However, they can bypass that by changing their IP by a small deviation and then they would try again and get blocked.

How is it possible for them to even change their IP addresses? Do they own a range of IP addresses or something?

I have Fail2Ban set to do a whois search on the banned IP in the email. There is a section called "inetsum" that comes up first. Here is an example output of one of the repeated IPs that keep coming back.

inetnum: 221.192.0.0 - 221.195.255.255

What does inetnum mean? Is that the range of IP addresses that the person owns? Should I just block that instead? Or is that the IP range of the internet service provider?

Here is an image of the IP addresses:

Blocking brute forcer with multiple IPs in range

Replay

The inetnum and range come from the following IP whois information and simply represents the IP range used for BGP by the Internet Service Provider.

The changing of IP addresses could actually be a number of different things but it could simply be them using a pool of IP's from the ISP, a Chinese bot net or a group of Tor exit nodes (unlikely but possible, and something you could look up).

In any case, you need to stop this. It's great that you have Fail2Ban setup but it would be wise to move your SSH daemon to a high port (I recommend above TCP/30000)

Likewise as @tlng05 mentioned switch from password only to public-key authentication if you can as that tends to stop a lot of brute forcing. Note: when doing this make sure password auth is really disabled and not an option after public-key authentication times out.

If your organization has no business from China you could block that IP range for a few days but I don't generally recommend blocking countries except in very specific cases.

Finally it may be worth setting up a honey pot with a bad password on SSH to see what the attackers next steps will be and also waste more of their time (increase their cost of attacking).

It's worth e-mailing the [email protected] e-mail they provide in their IP Whois results but there is no guarantee anything will be done. Some providers are great at helping to block things like this others will ignore your request. None the less it's wise to do so if you have time (BTW: I've seen this automated).

Can you limit access to this host from certain source IP addresses ? If so that would allow you to block 99% of the Internet which would be a much better solution.

Likewise connecting to a jump-server via VPN first would also help. (Many ways to solve this problem).

If it's an option one way or another you definitely want to block that attacker and watch for their return.

IP Whois results from looking up one of the IP's you listed:

Source: whois.apnic.netIP Address: 221.194.44.223 (China)
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '221.192.0.0 - 221.195.255.255'

inetnum:        221.192.0.0 - 221.195.255.255
netname:        UNICOM-HE
descr:          China Unicom Hebei Province Network
descr:          China Unicom
country:        CN
admin-c:        CH1302-AP
tech-c:         KL984-AP
remarks:        service provider
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CNCGROUP-HE
mnt-routes:     MAINT-CNCGROUP-RR
status:         ALLOCATED PORTABLE
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        --------------------------------------------------------
mnt-irt:        IRT-CU-CN
changed:        [email protected] 20040329
changed:        [email protected] 20060124
changed:        [email protected] 20060125
changed:        [email protected] 20080314
changed:        [email protected] 20090508
source:         APNIC

irt:            IRT-CU-CN
address:        No.21,Jin-Rong Street
address:        Beijing,100140
address:        P.R.China
e-mail:         [email protected]
abuse-mailbox:  [email protected]
admin-c:        CH1302-AP
tech-c:         CH1302-AP
auth:           # Filtered
mnt-by:         MAINT-CNCGROUP
changed:        [email protected] 20101110
changed:        [email protected] 20101116
source:         APNIC

person:         ChinaUnicom Hostmaster
nic-hdl:        CH1302-AP
e-mail:         [email protected]
address:        No.21,Jin-Rong Street
address:        Beijing,100033
address:        P.R.China
phone:          +86-10-66259764
fax-no:         +86-10-66259764
country:        CN
changed:        [email protected] 20090408
mnt-by:         MAINT-CNCGROUP
source:         APNIC

person:         Kong Lingfei
nic-hdl:        KL984-AP
e-mail:         [email protected]
address:        45, Guang An Street, Shi Jiazhuang City, HeBei Province,050011,CN
phone:          +86-311-86681601
fax-no:         +86-311-86689210
country:        cn
changed:        [email protected] 20090206
mnt-by:         MAINT-CNCGROUP-HE
source:         APNIC

% Information related to '221.192.0.0/14AS4837'

route:          221.192.0.0/14
descr:          CNC Group CHINA169 Hebei Province Network
country:        CN
origin:         AS4837
mnt-by:         MAINT-CNCGROUP-RR
changed:        [email protected] 20060118
source:         APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)

Category: brute force Time: 2016-07-30 Views: 0

Related post

  • Block brute-force on server with http auth behind cloudflare proxies 2013-02-22

    My server is behind Cloudflare proxies. I have configured simple http authentication to restrict access to some server resources. I'm trying to block brute-force attacks on http auth with fail2ban. The problem is that all the traffic comes through Cl

  • SHA256 HMAC brute force with chosen plaintext attacks 2013-04-23

    This is a follow up to Is It Possible To Reconstruct a Cryptographic Hash's Key I am using a SHA-256 HMAC function on a single-word input: sha256hmac(privatekey,word) = output. The private key length is 128 bits, it does not change. The "word" i

  • Set default Windows Server interface IP with multiple IPs 2015-02-20

    I've got a Windows Server 2012R2 VM with 3 IP addresses: 4.70, 4.17 and 4.18 4.70 is the 1st IP address entered on the Properties Sheet, 4,17 and 4.18 are entered in the advanced dialog. As you can see in the route print, windows is binding 4.17 as t

  • IIS site with multiple IPs? 2010-09-15

    Is it possible to setup an IIS hosted site so that it is setup with multiple IPs? I'm not sure if this is practicle or if we should stick to a single IP per site. We are using IIS6 on Windows 2003 --------------Solutions------------- Yes. When you go

  • What's the right way to block brute force of HTTP basic auth? 2012-10-12

    Here's my thought, Set a threshold like 30 times in a minute, then block this IP for a few minutes. But If the attacker forge the source IP address, this could block legitimate user immediately. And I'm confused now. --------------Solutions----------

  • htpasswd - Any tip to block brute force attacks? 2014-07-25

    Update: As Craig suggested I'm trying fail2ban now. Even though I have issues in that as well. failregex is not finding any result though. I had enabled all apache* in jail.local and here is how my apache logs errors: [Fri Jul 25 11:31:20.758218 2014

  • What is the difference between FTP Brute force with hydra and Metasploit? 2015-10-23

    What is the difference between FTP Brute force with hydra and and FTP brute force with Metasploit ? --------------Solutions------------- Both perform the same basic functionality for FTP password cracking in terms of word lists and brute force attemp

  • DNS load balancing with multiple IPs on the same domain in GoDaddy 2015-11-14

    Looking for a cheaper solution than amazon CloudFront, I placed two "A" records with different IPs to different servers on the same subdomain in a NameSever managed by GoDaddy in order to achieve some kind of load balancing and fail over mechani

  • Failing to block brute force ssh with iptables 2013-10-15

    I'm trying to block (slow down) brute force attacks on my sshd server. I'm following this guide http://www.rackaid.com/resources/how-to-block-ssh-brute-force-attacks/ which basically says I need to just enter the 2 commands below. sudo iptables -I IN

  • What are the pros/cons of the various methods to block brute force SSH attacks? 2010-10-12

    There are a number of different packages out there to shut out IPs from which brute-force SSH attacks are launched on your system. For example: DenyHosts Sshguard fail2ban What are the pros/cons of these, or any others? My current solution is to take

  • Block brute force attack via Remote Desktop Protocol 2011-09-24

    Possible Duplicate: Ban, slowdown or stop massive login attempts to RDP I have a Windows 2008 Server which is being attacked very hard. Somebody is trying to use brute force to sign in to the server via remote desktop protocol. And looks like that at

  • Block brute-force attack using lastb and iptables 2012-09-24

    Using linux lastb command, I found that my server is brute-force attacked from many different IPs around the world! I have developed an script to detect brute-force attackers by lastb and block them by iptables. Here is the script: #!/bin/bash cd /ro

  • Set default outgoing IP on Ubuntu server with multiple IPs 2011-03-16

    I have a server (10.04 LTS) with 1 NIC and 2 virtual IPs. My /etc/interfaces is: auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 11.22.176.5 network 11.22.176.0 netmask 255.255.255.192 broadcast 11.22.176.63 gateway 11.22.176.

  • Securing a simple webservice against brute-force with mod-security 2013-02-26

    I want to provide basic defense against brute-force attacks against a simple HTTPS web service. The web service provides a login method (let's say at http://example.org/login) which gets passed a username and password as HTTP GET parameters or as fie

  • How can you I detect low frequency brute forcing over multiple connections? 2013-09-11

    While I realize that servers can easily detect brute forcing strategies via a single I.P, it seems that servers would be vulnerable to a distributed attack from a botnet, with each computer attempting a small portion of the password list at low frequ

  • smtp block brute force attacks 2014-08-17

    Hi guys, I'm getting a lot of smtp brute force attacks lately and on my /var/log/secure logs they don't even list the IP of the person trying the attacks. They look like this : What's the best way to block these attacks? Thanks --------------Solution

  • lighttpd with multiple IPs, each with a UCC certificate and many hostnames 2011-01-17

    I'd like to get lighttpd working with UCC certificates, but I can't seem to figure out the correct syntax. Essentially, for each IP address, I have one UCC certificate and a bunch of hostnames. $SERVER["socket"] == "10.0.0.1:443" { ssl

  • Outbound Email Loadbalance with Multiple IPs 2012-09-10

    I want to loadbalance outbound emails via multiple IPs, is there any built-in tool or some easy way to do it with postfix, sendmail or exim? for example if I assign three IPs to the email server and emails are sent via all the ips one by one. -------

  • How does broadcasting work on a server with multiple IPs? 2013-04-19

    Say you have two dhcp servers, A and B. Server A has two IP addresses, 10.0.0.1 and 10.0.0.2. Server B has one IP address, 10.0.0.3. Server A has two instances of isc-dhcp running, one specifying a local-address of 10.0.0.1 and the other specifying t

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development

search

Front-end development

Database

development tools

Open Platform

Javascript development

.NET development

cloud computing

server

Copyright (C) avrocks.com, All Rights Reserved.

processed in 0.875 (s). 13 q(s)