Menu
▾
▴
Re: [SSHGuard-users] Odd block
|
From: Georg L. <jor...@ma...> - 2016-07-22 14:22:21
|
On 22/07/16 00:32, li...@la... wrote: > I decided to dig into this block given the odd name of the domain. Now > if I am reading this correctly, the getaddrinfo is part of sshd, not > sshguard. The IP 188.166.242.102 comes back to Digital Ocean, a VPS > company. Where did poke.diarbag.us come from? > > Jul 21 14:07:16 theranch sshd[73068]: Did not receive identification string from 188.166.242.102 > Jul 21 14:13:07 theranch sshd[73095]: reverse mapping checking getaddrinfo for poke.diarbag.us [188.166.242.102] failed - POSSIBLE BREAK-IN ATTEMPT! > Jul 21 14:13:07 theranch sshd[73095]: Invalid user vagrant from 188.166.242.102 > Jul 21 14:13:07 theranch sshd[73095]: input_userauth_request: invalid user vagrant [preauth] > Jul 21 14:13:08 theranch sshd[73095]: Received disconnect from 188.166.242.102: 11: Bye Bye [preauth] > Jul 21 14:13:08 theranch sshguard[809]: blacklist: added 188.166.242.102 > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity planning > reports.http://sdm.link/zohodev2dev > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > Hi: reverse mapping does the following: 1. Get the DNS hostname of the IP address which is connecting to you. 2. From the DNS hostname get - via DNS again - the IP address. 3. Compare if it is the same, if not: POSSIBLE BREAK-IN ATTEMPT! You can emulate this on the commandline, I'll show it with nslookup, which is available on Linux (unix) and Windows systems: - - - jorge@pwx:~$ nslookup > 188.166.242.102 Server: 192.168.173.1 Address: 192.168.173.1#53 Non-authoritative answer: 102.242.166.188.in-addr.arpa name = poke.diarbag.us. Authoritative answers can be found from: 242.166.188.in-addr.arpa nameserver = ns2.digitalocean.com. 242.166.188.in-addr.arpa nameserver = ns3.digitalocean.com. 242.166.188.in-addr.arpa nameserver = ns1.digitalocean.com. ns2.digitalocean.com internet address = 173.245.59.41 ns2.digitalocean.com has AAAA address 2400:cb00:2049:1::adf5:3b29 ns3.digitalocean.com internet address = 198.41.222.173 ns3.digitalocean.com has AAAA address 2400:cb00:2049:1::c629:dead ns1.digitalocean.com internet address = 173.245.58.51 ns1.digitalocean.com has AAAA address 2400:cb00:2049:1::adf5:3a33 > poke.diarbag.us Server: 192.168.173.1 Address: 192.168.173.1#53 Non-authoritative answer: *** Can't find poke.diarbag.us: No answer > - - - Result is, that there doesn't even exist a DNS entry for poke.diarbag.us. The owner of the attackers IP address has not set up correctly his/her DNS records. The attack still could come from a different host on the Internet, spoofing to be 188.166.242.102. Poor Diar Bagus most probably has nothing to do with the attack. Complaints should go to digitalocean, they should know to whom they lend the attackers IP address. Best Regards, Georg Lehner |
