Monday, October 31, 2016

Android Studio 2.2.2: failed to find Build Tools revision 25

This is very annoying! Every time you update your Android SDK Build-tools (for example 24.0.3 to 25), you need to edit your project configuration. It never happened on Eclipse before. Please bring back support to Eclipse to develop Android application.
Software:
  • Android SDK Manager 25.2.2 (Stand Alone)
  • Android Studio 2.2.2
  • Oracle JDK 1.8.0_102
  • Windows 10 x64
This is the error message:
Error:Failed to find Build Tools revision 24.0.2
<a href="/web/joomla/install.build.tools">Install Build Tools 24.0.2 and sync project</a>
To fix it, do these:
in 1: Project change view to Android
Go to [your_project]->app and open build.grandle 
change buildToolsVersion "24.0.2" -> buildToolsVersion "25.0.0"
...
android {
    compileSdkVersion 24
    buildToolsVersion "25.0.0"
...
Save it and click Try Again or Sync your project

Friday, October 28, 2016

Debian Jessie: installing OpenJDK-8, Mysql JDBC and PostgreSQL JDBC

Install all packages:
# apt-get install openjdk-8-jdk libmysql-java libpostgresql-jdbc-java libpostgresql-jdbc-java-doc
Note: openjdk-8-jdk requires backports repository, add this into /etc/apt/sources.list
deb http://ftp.de.debian.org/debian jessie-backports main
To set Java Environment for all users, add/edit /etc/environment:
JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"
CLASSPATH=".:/usr/share/java/mysql.jar:/usr/share/java/postgresql-jdbc4.jar"
Note: if you prefered to use postgresql-jdbc3, replace /usr/share/java/postgresql-jdbc4.jar with /usr/share/java/postgresql.jar
Example Java code loading MySQL:
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.Properties;
class TestDB {
    /*
      /usr/share/java
      http://dev.mysql.com/doc/connector-j/5.1/en/
      https://jdbc.postgresql.org/documentation/documentation.html
    */
   static Connection conn = null;   
   public static void main(String[] args) {
      // MySQL
      try {
         System.out.println("Loading Class com.mysql.jdbc.Driver");
         Class.forName("com.mysql.jdbc.Driver") ;
         System.out.println("Loading com.mysql.jdbc.Driver Successful");
         conn = DriverManager.getConnection("jdbc:mysql://localhost/database?user=user&password=password");
         // Do something with the Connection
         System.out.println("Test Connection Successful");
      } catch (SQLException ex) {
         // handle any errors
         System.out.println("SQLException: " + ex.getMessage());
         System.out.println("SQLState: " + ex.getSQLState());
         System.out.println("VendorError: " + ex.getErrorCode());
      } catch (ClassNotFoundException ex) {
         System.out.println("Class Not Found: " + ex.getMessage());
      }
      // PostgreSQL
      try {
         System.out.println("Loading Class org.postgresql.Driver");
         Class.forName("org.postgresql.Driver");
         System.out.println("Loading org.postgresql.Driver Successful");
         String url = "jdbc:postgresql://localhost/database";
         Properties props = new Properties();
         props.setProperty("user","user");
         props.setProperty("password","password");
         props.setProperty("ssl","true");
         conn = DriverManager.getConnection(url, props); 
         // or
         url = "jdbc:postgresql://localhost/database?user=user&password=password&ssl=true";
         Connection conn = DriverManager.getConnection(url);
         // Do something with the Connection
         System.out.println("Test Connection Successful");
      } catch (SQLException ex) {
         // handle any errors
         System.out.println("SQLException: " + ex.getMessage());
         System.out.println("SQLState: " + ex.getSQLState());
         System.out.println("VendorError: " + ex.getErrorCode());
      } catch (ClassNotFoundException ex) {
         System.out.println("Class Not Found: " + ex.getMessage());
      }
   }
}
References:

Thursday, October 27, 2016

Script Kiddies to use hydra

This is intended for Education purpose!

After researching how to defend our network, I want to share how to perform what they are doing. It is very easy to perform automatic password attack against various services. One of their tools is hydra. Chrome mark https://www.thc.org/ "The site ahead contains harmful programs" and Firefox mark it as "Reported Unwanted Software Page!". Who's care.... LOL
To install it
# apt-get install hydra
or
# yum install hydra
To create dictionary install British words
# apt-get install wbritish
or

# yum install words
You don't need to run this as root. 
Create a directory (whatever you want). I use directory hydra. 
$ mkdir hydra
$ cd hydra
Now create words file before running hydra.
$ cat /usr/share/dict/words > words.txt
You can perform ssh using
hydra -l root -P words.txt ssh://xxx.xxx.xxx.xxx
To get more option:
$ hydra -h
Hydra v8.0 (c) 2014 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvVd46] [service://server[:PORT][/OPT]]

Options:
  -R        restore a previous aborted/crashed session
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -o FILE   write found login/password pairs to FILE instead of stdout
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel (per host, default: 16)
  -w / -W TIME  waittime for responses (32s) / between connects per thread
  -4 / -6   prefer IPv4 (default) or IPv6 addresses
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode
  -q        do not print messages about connection erros
  -U        service module usage details
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: sapr3 afp ncp oracle.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY - and if needed HYDRA_PROXY_AUTH - environment for a proxy setup.
E.g.:  % export HYDRA_PROXY=socks5://127.0.0.1:9150 (or socks4:// or connect://)
       % export HYDRA_PROXY_HTTP=http://proxy:8080
       % export HYDRA_PROXY_AUTH=user:pass

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh
WARNING: FOR EDUCATION PURPOSE! DO IT ON YOUR LOCAL NETWORK AND WITH YOUR OWN RISK. DOING THIS IS ON PUBLIC NETWORK IS BREAKING A LAW!

Tuesday, October 25, 2016

fail2ban: autoreporting attack to www.abuseipdb.com

Create file /etc/fail2ban/action.d/abuseipdb.conf
# Fail2Ban configuration file
#
# Author: IGAM Muliarsa
#
#

# Action to report IP address to abuseipdb.com
# you must sign up in https://www.abuseipdb.com
# This action requires API_KEY
# https://www.abuseipdb.com/report/json?key=[API_KEY]&category=[CATEGORIES]&comment=[COMMENT]&ip=[IP]
#
# IMPORTANT:
#
# Reporting an IP of abuse is a serious complaint. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
#   * The recidive where the IP has been banned multiple times
#   * Where maxretry has been set quite high, beyond the normal user typing
#     password incorrectly.
#   * For filters that have a low likelyhood of receiving human errors
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = curl --data 'key=<apikey>' --data 'category=<category>' --data 'ip=<ip>' --data-urlencode 'comment=<matches>' --user-agent 'fail2ban v0.8.12' 'https://www.abuseipdb.com/report/json'

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban =

[Init]

# Option:  apikey
# Notes    your user apikey from abuseipdb.com user account
# Values:  STRING  Default: None
#
apikey = REPLACE_WITH_YOUR_API_KEY

# Option:  service
# Notes    service name you are reporting on, typically aligns with filter name
# Values:  STRING  Default: None
#
#service =
Edit /etc/fail2ban/jail.conf
...
[sshd]

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
filter = sshd
action = iptables-ipset-proto4[]
        mlocaldb[category=10]
        abuseipdb[category=4,18,22]
...
To find available category, follow this rule.
Restart your fail2ban.
Tested on Fail2ban 0.9.x

References:

Thursday, October 13, 2016

PHP >= 5.5: password hashing

To hash password (using default algorithm bcrypt)

$mypass = "password";
$myhash = password_hash($mypass, PASSWORD_DEFAULT);

To verify password

$brutepass = "test";
password_verify ($brutepass, $myhash); // true or false

Storing password in database

"Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice)." Maybe varchar(255)

Reference:

Tuesday, October 11, 2016

PHP 5: GeoIP

Install PHP GeoIP

# apt-get install geoip-bin geoip-database geoip-database-extra php5-geoip php5-geos

Updating GeoIP database from SID (choose your mirror)

# wget http://kambing.ui.ac.id/debian/pool/main/g/geoip-database/geoip-database-extra_20160912-1_all.deb
# wget http://kambing.ui.ac.id/debian/pool/main/g/geoip-database/geoip-database_20160912-1_all.deb
# dpkg -i geoip-database_20160912-1_all.deb
# dpkg -i geoip-database-extra_20160912-1_all.deb  

To convert IP to integer

$ip = ip2long('119.249.54.66');

To convert integer to IP

$hostip = long2ip($ip);

To get 3 chars country code 

echo geoip_country_code3_by_name($hostip);

To get country name 

echo geoip_country_name_by_name($hostip);

To get country code and region

echo var_dump(geoip_region_by_name($hostip))."<br>";
 Error: mod_fcgid: stderr: PHP Warning:  geoip_region_by_name(): Required database not available at /usr/share/GeoIP/GeoIPRegion.dat. ??? May be required subscription premium service ??? 

Reference:

China DDOS SSH 2016-10-11 Involving 12 IPs

Log:
Oct 10 21:18:22 mars sshd[11737]: Bad protocol version identification 'test' from 183.129.160.229 port 50149
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78: 11: Bye Bye [preauth]
Oct 11 01:28:56 mars sshd[29033]: fatal: no matching cipher found: client aes128-cbc,blowfish-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]
Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16
Oct 11 04:40:43 mars sshd[2440]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 04:43:11 mars sshd[2477]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 04:44:12 mars sshd[2482]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 04:45:11 mars sshd[2886]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 04:45:45 mars sshd[3419]: Received disconnect from 221.194.47.224: 11:  [preauth]
Oct 11 04:52:32 mars sshd[4427]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 04:53:53 mars sshd[4433]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 04:56:15 mars sshd[5350]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 04:57:21 mars sshd[5384]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 04:57:52 mars sshd[5387]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 04:58:10 mars sshd[5390]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:02:36 mars sshd[6364]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 05:08:11 mars sshd[7341]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 05:09:53 mars sshd[7399]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 05:16:53 mars sshd[9285]: Received disconnect from 121.18.238.109: 11:  [preauth]
Oct 11 05:18:51 mars sshd[9323]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 05:18:54 mars sshd[9325]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 05:25:45 mars sshd[11293]: Received disconnect from 221.194.47.224: 11:  [preauth]
Oct 11 05:26:41 mars sshd[11297]: Received disconnect from 119.249.54.66: 11:  [preauth]
Oct 11 05:29:04 mars sshd[11335]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:30:10 mars sshd[11717]: Received disconnect from 119.249.54.66: 11:  [preauth]
Oct 11 05:31:35 mars sshd[12252]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:37:35 mars sshd[13232]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:40:48 mars sshd[14251]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:47:08 mars sshd[15236]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 05:51:46 mars sshd[16208]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:54:15 mars sshd[16266]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 05:57:01 mars sshd[17206]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 06:13:24 mars sshd[20155]: Connection closed by 221.194.47.208 [preauth]
Oct 11 06:16:53 mars sshd[21101]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 06:34:57 mars sshd[24362]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 06:40:53 mars sshd[26291]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 06:41:43 mars sshd[26296]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 06:41:58 mars sshd[26299]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 06:50:14 mars sshd[27709]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 07:55:39 mars sshd[8437]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 08:01:33 mars sshd[9618]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 08:03:14 mars sshd[9627]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 08:04:00 mars sshd[9632]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 10 21:18:22 mars sshd[11737]: Bad protocol version identification 'test' from 183.129.160.229 port 50149
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78: 11: Bye Bye [preauth]
Oct 11 01:28:56 mars sshd[29033]: fatal: no matching cipher found: client aes128-cbc,blowfish-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]
Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16
Oct 11 04:40:43 mars sshd[2440]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 04:43:11 mars sshd[2477]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 04:44:12 mars sshd[2482]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 04:45:11 mars sshd[2886]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 04:45:45 mars sshd[3419]: Received disconnect from 221.194.47.224: 11:  [preauth]
Oct 11 04:52:32 mars sshd[4427]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 04:53:53 mars sshd[4433]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 04:56:15 mars sshd[5350]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 04:57:21 mars sshd[5384]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 04:57:52 mars sshd[5387]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 04:58:10 mars sshd[5390]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:02:36 mars sshd[6364]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 05:08:11 mars sshd[7341]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 05:09:53 mars sshd[7399]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 05:16:53 mars sshd[9285]: Received disconnect from 121.18.238.109: 11:  [preauth]
Oct 11 05:18:51 mars sshd[9323]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 05:18:54 mars sshd[9325]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 05:25:45 mars sshd[11293]: Received disconnect from 221.194.47.224: 11:  [preauth]
Oct 11 05:26:41 mars sshd[11297]: Received disconnect from 119.249.54.66: 11:  [preauth]
Oct 11 05:29:04 mars sshd[11335]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:30:10 mars sshd[11717]: Received disconnect from 119.249.54.66: 11:  [preauth]
Oct 11 05:31:35 mars sshd[12252]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:37:35 mars sshd[13232]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:40:48 mars sshd[14251]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:47:08 mars sshd[15236]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 05:51:46 mars sshd[16208]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:54:15 mars sshd[16266]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 05:57:01 mars sshd[17206]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 06:13:24 mars sshd[20155]: Connection closed by 221.194.47.208 [preauth]
Oct 11 06:16:53 mars sshd[21101]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 06:34:57 mars sshd[24362]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 06:40:53 mars sshd[26291]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 06:41:43 mars sshd[26296]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 06:41:58 mars sshd[26299]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 06:50:14 mars sshd[27709]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 07:55:39 mars sshd[8437]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 08:01:33 mars sshd[9618]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 08:03:14 mars sshd[9627]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 08:04:00 mars sshd[9632]: Received disconnect from 119.249.54.75: 11:  [preauth]
Here is attacker IPs:
  1. 119.249.54.66
  2. 119.249.54.68
  3. 119.249.54.75
  4. 119.249.54.88
  5. 121.18.238.104
  6. 121.18.238.109
  7. 121.18.238.114
  8. 121.18.238.98
  9. 221.194.47.208
  10. 221.194.47.224
  11. 221.194.47.229
  12. 221.194.47.249
 Others IPs before attact begin:
  1. 113.108.21.16
    Oct 11 03:05:36    mars sshd[16159]:    Did not receive identification string from    113.108.21.16   
  2. 124.232.156.78
    Oct 10 21:32:00    mars sshd[14650]:    Received disconnect from    124.232.156.78    :  11: Bye Bye [preauth]
  3. 183.129.160.229
    Oct 11 03:05:36    mars sshd[16159]:    Did not receive identification string from    113.108.21.16   
Sequence for each IP attempt:
No Time  From Method Auth No Time  From Method Auth
1 2016-10-11 4:40 121.18.238.114 :  11:  [preauth] 21 2016-10-11 5:30 119.249.54.66 :  11:  [preauth]
2 2016-10-11 4:43 119.249.54.75 :  11:  [preauth] 22 2016-10-11 5:31 121.18.238.104 :  11:  [preauth]
3 2016-10-11 4:44 221.194.47.208 :  11:  [preauth] 23 2016-10-11 5:37 221.194.47.229 :  11:  [preauth]
4 2016-10-11 4:45 221.194.47.229 :  11:  [preauth] 24 2016-10-11 5:40 121.18.238.104 :  11:  [preauth]
5 2016-10-11 4:45 221.194.47.224 :  11:  [preauth] 25 2016-10-11 5:47 119.249.54.88 :  11:  [preauth]
6 2016-10-11 4:52 221.194.47.249 :  11:  [preauth] 26 2016-10-11 5:51 121.18.238.104 :  11:  [preauth]
7 2016-10-11 4:53 121.18.238.98 :  11:  [preauth] 27 2016-10-11 5:54 119.249.54.88 :  11:  [preauth]
8 2016-10-11 4:56 119.249.54.68 :  11:  [preauth] 28 2016-10-11 5:57 121.18.238.98 :  11:  [preauth]
9 2016-10-11 4:57 221.194.47.208 :  11:  [preauth] 29 2016-10-11 6:13 221.194.47.208 [preauth]
10 2016-10-11 4:57 121.18.238.104 :  11:  [preauth] 30 2016-10-11 6:16 121.18.238.104 :  11:  [preauth]
11 2016-10-11 4:58 221.194.47.229 :  11:  [preauth] 31 2016-10-11 6:34 121.18.238.114 :  11:  [preauth]
12 2016-10-11 5:02 221.194.47.249 :  11:  [preauth] 32 2016-10-11 6:40 119.249.54.68 :  11:  [preauth]
13 2016-10-11 5:08 221.194.47.249 :  11:  [preauth] 33 2016-10-11 6:41 119.249.54.75 :  11:  [preauth]
14 2016-10-11 5:09 119.249.54.68 :  11:  [preauth] 34 2016-10-11 6:41 221.194.47.249 :  11:  [preauth]
15 2016-10-11 5:16 121.18.238.109 :  11:  [preauth] 35 2016-10-11 6:50 121.18.238.98 :  11:  [preauth]
16 2016-10-11 5:18 119.249.54.75 :  11:  [preauth] 36 2016-10-11 7:55 119.249.54.88 :  11:  [preauth]
17 2016-10-11 5:18 121.18.238.114 :  11:  [preauth] 37 2016-10-11 8:01 221.194.47.208 :  11:  [preauth]
18 2016-10-11 5:25 221.194.47.224 :  11:  [preauth] 38 2016-10-11 8:03 121.18.238.104 :  11:  [preauth]
19 2016-10-11 5:26 119.249.54.66 :  11:  [preauth] 39 2016-10-11 8:04 119.249.54.75 :  11:  [preauth]
20 2016-10-11 5:29 221.194.47.229 :  11:  [preauth]        
 It is better to block those IP in block /24:
For iptables:
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 119.249.54.0/24 -j DROP
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 121.18.238.0/24 -j DROP
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 221.194.47.0/24 -j DROP
If you don't have business with them  just block all incoming connection from them:
# iptables -A INPUT -s 119.249.54.0/24 -j DROP
# iptables -A INPUT -s 121.18.238.0/24 -j DROP
# iptables -A INPUT s 221.194.47.0/24 -j DROP
If you install ipset follow this to setup ipset, and download ipset to block ssh black list from here