Category Archives: Microsoft

[Fail2Ban] ssh: banned 191.234.33.0

Hi,

The IP 191.234.33.0 has just been banned by Fail2Ban after
6 attempts against ssh.

Here are more information about 191.234.33.0:

% Joint Whois – whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries

% Brazilian resource: whois.registro.br

% Copyright (c) Nic.br
% The use of the data below is only permitted as described in
% full by the terms of use at http://registro.br/termo/en.html ,
% being prohibited its distribution, comercialization or
% reproduction, in particular, to use it for advertising or
% any similar purpose.
% 2014-04-30 04:40:01 (BRT -03:00)

inetnum: 191.232/14
aut-num: AS8075
abuse-c: BEORN2
owner: Microsoft Informatica Ltda
ownerid: 060.316.817/0001-03
responsible: Benjamin Orndorff
country: BR
owner-c: BEORN2
tech-c: BEORN2
inetrev: 191.234.32/19
nserver: ns1.msft.net
nsstat: 20140427 AA
nslastaa: 20140427
nserver: ns2.msft.net
nsstat: 20140427 AA
nslastaa: 20140427
nserver: ns3.msft.net
nsstat: 20140427 AA
nslastaa: 20140427
nserver: ns4.msft.net
nsstat: 20140427 AA
nslastaa: 20140427
nserver: ns5.msft.net
nsstat: 20140427 AA
nslastaa: 20140427
created: 20130911
changed: 20130911

nic-hdl-br: BEORN2
person: Benjamin Orndorff
e-mail: domains@microsoft.com
created: 20110810
changed: 20131212

% Security and mail abuse issues should also be addressed to
% cert.br, http://www.cert.br/, respectivelly to cert@cert.br
% and mail-abuse@cert.br
%
% whois.registro.br accepts only direct match queries. Types
% of queries are: domain (.br), registrant (tax ID), ticket,
% provider, contact handle (ID), CIDR block, IP and ASN.

Lines containing IP:191.234.33.0 in /var/log/auth.log

Apr 30 03:39:25 vps3 sshd[32270]: Did not receive identification string from 191.234.33.0
Apr 30 03:39:31 vps3 sshd[32272]: Invalid user admin from 191.234.33.0
Apr 30 03:39:31 vps3 sshd[32272]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=191.234.33.0
Apr 30 03:39:33 vps3 sshd[32272]: Failed password for invalid user admin from 191.234.33.0 port 1041 ssh2
Apr 30 03:39:33 vps3 sshd[32272]: Received disconnect from 191.234.33.0: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Apr 30 03:39:44 vps3 sshd[32274]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=191.234.33.0 user=root
Apr 30 03:39:45 vps3 sshd[32274]: Failed password for root from 191.234.33.0 port 1040 ssh2
Apr 30 03:39:45 vps3 sshd[32274]: Received disconnect from 191.234.33.0: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Apr 30 03:39:49 vps3 sshd[32276]: Invalid user guest from 191.234.33.0
Apr 30 03:39:49 vps3 sshd[32276]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=191.234.33.0
Apr 30 03:39:51 vps3 sshd[32276]: Failed password for invalid user guest from 191.234.33.0 port 1042 ssh2
Apr 30 03:39:51 vps3 sshd[32276]: Received disconnect from 191.234.33.0: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Apr 30 03:39:58 vps3 sshd[32278]: Invalid user ubnt from 191.234.33.0
Apr 30 03:39:58 vps3 sshd[32278]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=191.234.33.0
Apr 30 03:40:00 vps3 sshd[32278]: Failed password for invalid user ubnt from 191.234.33.0 port 1043 ssh2
Apr 30 03:40:00 vps3 sshd[32278]: Received disconnect from 191.234.33.0: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]

[Fail2Ban] ssh: banned 168.63.211.215

Hi,

The IP 168.63.211.215 has just been banned by Fail2Ban after
6 attempts against ssh.

Here are more information about 168.63.211.215:

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=168.63.211.215?showDetails=true&showARIN=false&ext=netref2
#

NetRange: 168.61.0.0 – 168.63.255.255
CIDR: 168.62.0.0/15, 168.61.0.0/16
OriginAS:
NetName: MICROSOFT
NetHandle: NET-168-61-0-0-1
Parent: NET-168-0-0-0-0
NetType: Direct Assignment
RegDate: 2011-06-22
Updated: 2013-08-20
Ref: http://whois.arin.net/rest/net/NET-168-61-0-0-1

OrgName: Microsoft Corp
OrgId: MSFT-Z
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 2011-06-22
Updated: 2013-10-03
Comment: To report suspected security issues specific to
Comment: traffic emanating from Microsoft online services,
Comment: including the distribution of malicious content
Comment: or other illicit or illegal material through a
Comment: Microsoft online service, please submit reports
Comment: to:
Comment: * https://cert.microsoft.com.
Comment:
Comment: For SPAM and other abuse issues, such as Microsoft
Comment: Accounts, please contact:
Comment: * abuse@microsoft.com.
Comment:
Comment: To report security vulnerabilities in Microsoft
Comment: products and services, please contact:
Comment: * secure@microsoft.com.
Comment:
Comment: For legal and law enforcement-related requests,
Comment: please contact:
Comment: * msndcc@microsoft.com
Comment:
Comment: For routing, peering or DNS issues, please
Comment: contact:
Comment: * IOC@microsoft.com
Ref: http://whois.arin.net/rest/org/MSFT-Z

OrgTechHandle: MRPD-ARIN
OrgTechName: Microsoft Routing, Peering, and DNS
OrgTechPhone: +1-425-882-8080
OrgTechEmail: IOC@microsoft.com
OrgTechRef: http://whois.arin.net/rest/poc/MRPD-ARIN

OrgAbuseHandle: MAC74-ARIN
OrgAbuseName: Microsoft Abuse Contact
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@microsoft.com
OrgAbuseRef: http://whois.arin.net/rest/poc/MAC74-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

Lines containing IP:168.63.211.215 in /var/log/auth.log

Apr 22 17:33:59 vps3 sshd[26047]: Did not receive identification string from 168.63.211.215
Apr 22 17:34:20 vps3 sshd[26048]: Invalid user admin from 168.63.211.215
Apr 22 17:34:20 vps3 sshd[26048]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=168.63.211.215
Apr 22 17:34:22 vps3 sshd[26048]: Failed password for invalid user admin from 168.63.211.215 port 1050 ssh2
Apr 22 17:34:42 vps3 sshd[26051]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=168.63.211.215 user=root
Apr 22 17:34:45 vps3 sshd[26051]: Failed password for root from 168.63.211.215 port 1049 ssh2
Apr 22 17:35:19 vps3 sshd[26053]: Invalid user guest from 168.63.211.215
Apr 22 17:35:19 vps3 sshd[26053]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=168.63.211.215
Apr 22 17:35:20 vps3 sshd[26053]: Failed password for invalid user guest from 168.63.211.215 port 1050 ssh2
Apr 22 17:36:10 vps3 sshd[26056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=168.63.211.215 user=uucp
Apr 22 17:36:12 vps3 sshd[26056]: Failed password for uucp from 168.63.211.215 port 1040 ssh2

Regards,

Fail2Ban