Menu
▾
▴
Re: [SSHGuard-users] Odd block
|
From: Willem J. W. <wj...@di...> - 2016-07-22 07:39:19
|
On 22-7-2016 09:07, li...@la... wrote: > On Fri, 22 Jul 2016 08:51:03 +0200 > Willem Jan Withagen <wj...@di...> wrote: > >> On 22-7-2016 08:32, li...@la... wrote: >>> I decided to dig into this block given the odd name of the domain. >>> Now if I am reading this correctly, the getaddrinfo is part of >>> sshd, not sshguard. The IP 188.166.242.102 comes back to Digital >>> Ocean, a VPS company. Where did poke.diarbag.us come from? >>> >>> Jul 21 14:07:16 theranch sshd[73068]: Did not receive >>> identification string from 188.166.242.102 Jul 21 14:13:07 theranch >>> sshd[73095]: reverse mapping checking getaddrinfo for >>> poke.diarbag.us [188.166.242.102] failed - POSSIBLE BREAK-IN >>> ATTEMPT! Jul 21 14:13:07 theranch sshd[73095]: Invalid user vagrant >>> from 188.166.242.102 Jul 21 14:13:07 theranch sshd[73095]: >>> input_userauth_request: invalid user vagrant [preauth] Jul 21 >>> 14:13:08 theranch sshd[73095]: Received disconnect from >>> 188.166.242.102: 11: Bye Bye [preauth] Jul 21 14:13:08 theranch >>> sshguard[809]: blacklist: added 188.166.242.102 >> >> How about: >> # host 188.166.242.102 >> 102.242.166.188.in-addr.arpa domain name pointer poke.diarbag.us. >> >> --WjW >> > > I see, but > http://www.ip2location.com/188.166.242.102 > leads to Digital Ocean. > > So on cloudflare, where diarbag.us has its DNS, they set up > poke.diarbag.us to go to Digital Ocean? Does ip2location have some > secret sauce? Does it pierce the reverse proxy of Cloudflare? > > Doing a whois, the owners name is Diar Bagus, so the domain name is, > well, clever. I don't think anyone knocks on port 22 using their > real name, so maybe the server is hacked. Different questions, Different tools, different answers :) Host gives you DNS whois gives you the owner of the IP-number Which can be different as you found out. --WjW # whois 188.166.242.102 % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object refer: whois.ripe.net inetnum: 188.0.0.0 - 188.255.255.255 organisation: Administered by RIPE NCC status: LEGACY whois: whois.ripe.net changed: 1993-05 source: IANA % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '188.166.0.0 - 188.166.255.255' % Abuse contact for '188.166.0.0 - 188.166.255.255' is 'ab...@di...' inetnum: 188.166.0.0 - 188.166.255.255 netname: EU-DIGITALOCEAN-20090605 country: NL org: ORG-DOI2-RIPE admin-c: PT7353-RIPE tech-c: PT7353-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: digitalocean mnt-routes: digitalocean mnt-domains: digitalocean created: 2014-11-17T16:36:42Z last-modified: 2016-04-14T09:45:15Z source: RIPE # Filtered organisation: ORG-DOI2-RIPE org-name: Digital Ocean, Inc. org-type: LIR address: 101 Ave of the Americas 10th Floor address: New York address: 10013 address: UNITED STATES phone: +1 888 890 6714 mnt-ref: digitalocean mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT abuse-mailbox: ab...@di... abuse-c: AD10778-RIPE created: 2012-11-29T14:59:01Z last-modified: 2015-11-19T16:11:55Z source: RIPE # Filtered person: Network Operations address: 101 Ave of the Americas, 10th Floor, New York, NY 10013 phone: +13478756044 nic-hdl: PT7353-RIPE mnt-by: digitalocean created: 2015-03-11T16:37:07Z last-modified: 2015-11-19T15:57:21Z source: RIPE # Filtered org: ORG-DOI2-RIPE % This query was served by the RIPE Database Query Service version 1.87.4 (DB-1) |
