Re: [SSHGuard-users] Odd block

[<li...@la...>]

On Fri, 22 Jul 2016 08:51:03 +0200
Willem Jan Withagen <wj...@di...> wrote:

> On 22-7-2016 08:32, li...@la... wrote:
> > I decided to dig into this block given the odd name of the domain.
> > Now if I am reading this correctly, the getaddrinfo is part of
> > sshd, not sshguard. The IP 188.166.242.102 comes back to Digital
> > Ocean, a VPS company. Where did poke.diarbag.us come from?
> > 
> > Jul 21 14:07:16 theranch sshd[73068]: Did not receive
> > identification string from 188.166.242.102 Jul 21 14:13:07 theranch
> > sshd[73095]: reverse mapping checking getaddrinfo for
> > poke.diarbag.us [188.166.242.102] failed - POSSIBLE BREAK-IN
> > ATTEMPT! Jul 21 14:13:07 theranch sshd[73095]: Invalid user vagrant
> > from 188.166.242.102 Jul 21 14:13:07 theranch sshd[73095]:
> > input_userauth_request: invalid user vagrant [preauth] Jul 21
> > 14:13:08 theranch sshd[73095]: Received disconnect from
> > 188.166.242.102: 11: Bye Bye [preauth] Jul 21 14:13:08 theranch
> > sshguard[809]: blacklist: added 188.166.242.102
> 
> How about:
> # host 188.166.242.102
> 102.242.166.188.in-addr.arpa domain name pointer poke.diarbag.us.
> 
> --WjW
> 

I see, but 
http://www.ip2location.com/188.166.242.102
leads to Digital Ocean. 

So on cloudflare, where diarbag.us has its DNS, they set up
poke.diarbag.us to go to Digital Ocean? Does ip2location have some
secret sauce? Does it pierce the reverse proxy of Cloudflare?

Doing a whois, the owners name is Diar Bagus, so the domain name is,
well, clever. I don't think anyone knocks on port 22 using their
real name, so maybe the server is hacked.