My Notes: China DDOS SSH 2016-10-11 Involving 12 IPs

Log:
Oct 10 21:18:22 mars sshd[11737]: Bad protocol version identification 'test' from 183.129.160.229 port 50149
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78: 11: Bye Bye [preauth]

Oct
 11 01:28:56 mars sshd[29033]: fatal: no matching cipher found: client 
aes128-cbc,blowfish-cbc,3des-cbc server 
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]

Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16
Oct 11 04:40:43 mars sshd[2440]: Received disconnect from 121.18.238.114: 11: [preauth]
Oct 11 04:43:11 mars sshd[2477]: Received disconnect from 119.249.54.75: 11: [preauth]
Oct 11 04:44:12 mars sshd[2482]: Received disconnect from 221.194.47.208: 11: [preauth]
Oct 11 04:45:11 mars sshd[2886]: Received disconnect from 221.194.47.229: 11: [preauth]
Oct 11 04:45:45 mars sshd[3419]: Received disconnect from 221.194.47.224: 11: [preauth]
Oct 11 04:52:32 mars sshd[4427]: Received disconnect from 221.194.47.249: 11: [preauth]
Oct 11 04:53:53 mars sshd[4433]: Received disconnect from 121.18.238.98: 11: [preauth]
Oct 11 04:56:15 mars sshd[5350]: Received disconnect from 119.249.54.68: 11: [preauth]
Oct 11 04:57:21 mars sshd[5384]: Received disconnect from 221.194.47.208: 11: [preauth]
Oct 11 04:57:52 mars sshd[5387]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 04:58:10 mars sshd[5390]: Received disconnect from 221.194.47.229: 11: [preauth]
Oct 11 05:02:36 mars sshd[6364]: Received disconnect from 221.194.47.249: 11: [preauth]
Oct 11 05:08:11 mars sshd[7341]: Received disconnect from 221.194.47.249: 11: [preauth]
Oct 11 05:09:53 mars sshd[7399]: Received disconnect from 119.249.54.68: 11: [preauth]
Oct 11 05:16:53 mars sshd[9285]: Received disconnect from 121.18.238.109: 11: [preauth]
Oct 11 05:18:51 mars sshd[9323]: Received disconnect from 119.249.54.75: 11: [preauth]
Oct 11 05:18:54 mars sshd[9325]: Received disconnect from 121.18.238.114: 11: [preauth]
Oct 11 05:25:45 mars sshd[11293]: Received disconnect from 221.194.47.224: 11: [preauth]
Oct 11 05:26:41 mars sshd[11297]: Received disconnect from 119.249.54.66: 11: [preauth]
Oct 11 05:29:04 mars sshd[11335]: Received disconnect from 221.194.47.229: 11: [preauth]
Oct 11 05:30:10 mars sshd[11717]: Received disconnect from 119.249.54.66: 11: [preauth]
Oct 11 05:31:35 mars sshd[12252]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 05:37:35 mars sshd[13232]: Received disconnect from 221.194.47.229: 11: [preauth]
Oct 11 05:40:48 mars sshd[14251]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 05:47:08 mars sshd[15236]: Received disconnect from 119.249.54.88: 11: [preauth]
Oct 11 05:51:46 mars sshd[16208]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 05:54:15 mars sshd[16266]: Received disconnect from 119.249.54.88: 11: [preauth]
Oct 11 05:57:01 mars sshd[17206]: Received disconnect from 121.18.238.98: 11: [preauth]
Oct 11 06:13:24 mars sshd[20155]: Connection closed by 221.194.47.208 [preauth]
Oct 11 06:16:53 mars sshd[21101]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 06:34:57 mars sshd[24362]: Received disconnect from 121.18.238.114: 11: [preauth]
Oct 11 06:40:53 mars sshd[26291]: Received disconnect from 119.249.54.68: 11: [preauth]
Oct 11 06:41:43 mars sshd[26296]: Received disconnect from 119.249.54.75: 11: [preauth]
Oct 11 06:41:58 mars sshd[26299]: Received disconnect from 221.194.47.249: 11: [preauth]
Oct 11 06:50:14 mars sshd[27709]: Received disconnect from 121.18.238.98: 11: [preauth]
Oct 11 07:55:39 mars sshd[8437]: Received disconnect from 119.249.54.88: 11: [preauth]
Oct 11 08:01:33 mars sshd[9618]: Received disconnect from 221.194.47.208: 11: [preauth]
Oct 11 08:03:14 mars sshd[9627]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 08:04:00 mars sshd[9632]: Received disconnect from 119.249.54.75: 11: [preauth]
Oct 10 21:18:22 mars sshd[11737]: Bad protocol version identification 'test' from 183.129.160.229 port 50149
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78: 11: Bye Bye [preauth]

Oct
 11 01:28:56 mars sshd[29033]: fatal: no matching cipher found: client 
aes128-cbc,blowfish-cbc,3des-cbc server 
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]

119.249.54.66
119.249.54.68
119.249.54.75
119.249.54.88
121.18.238.104
121.18.238.109
121.18.238.114
121.18.238.98
221.194.47.208
221.194.47.224
221.194.47.229
221.194.47.249

Others IPs before attact begin:

113.108.21.16
Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16
124.232.156.78
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78 : 11: Bye Bye [preauth]
183.129.160.229
Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16

Sequence for each IP attempt:

No	Time	From	Method Auth	No	Time	From	Method Auth
1	2016-10-11 4:40	121.18.238.114	: 11: [preauth]	21	2016-10-11 5:30	119.249.54.66	: 11: [preauth]
2	2016-10-11 4:43	119.249.54.75	: 11: [preauth]	22	2016-10-11 5:31	121.18.238.104	: 11: [preauth]
3	2016-10-11 4:44	221.194.47.208	: 11: [preauth]	23	2016-10-11 5:37	221.194.47.229	: 11: [preauth]
4	2016-10-11 4:45	221.194.47.229	: 11: [preauth]	24	2016-10-11 5:40	121.18.238.104	: 11: [preauth]
5	2016-10-11 4:45	221.194.47.224	: 11: [preauth]	25	2016-10-11 5:47	119.249.54.88	: 11: [preauth]
6	2016-10-11 4:52	221.194.47.249	: 11: [preauth]	26	2016-10-11 5:51	121.18.238.104	: 11: [preauth]
7	2016-10-11 4:53	121.18.238.98	: 11: [preauth]	27	2016-10-11 5:54	119.249.54.88	: 11: [preauth]
8	2016-10-11 4:56	119.249.54.68	: 11: [preauth]	28	2016-10-11 5:57	121.18.238.98	: 11: [preauth]
9	2016-10-11 4:57	221.194.47.208	: 11: [preauth]	29	2016-10-11 6:13	221.194.47.208	[preauth]
10	2016-10-11 4:57	121.18.238.104	: 11: [preauth]	30	2016-10-11 6:16	121.18.238.104	: 11: [preauth]
11	2016-10-11 4:58	221.194.47.229	: 11: [preauth]	31	2016-10-11 6:34	121.18.238.114	: 11: [preauth]
12	2016-10-11 5:02	221.194.47.249	: 11: [preauth]	32	2016-10-11 6:40	119.249.54.68	: 11: [preauth]
13	2016-10-11 5:08	221.194.47.249	: 11: [preauth]	33	2016-10-11 6:41	119.249.54.75	: 11: [preauth]
14	2016-10-11 5:09	119.249.54.68	: 11: [preauth]	34	2016-10-11 6:41	221.194.47.249	: 11: [preauth]
15	2016-10-11 5:16	121.18.238.109	: 11: [preauth]	35	2016-10-11 6:50	121.18.238.98	: 11: [preauth]
16	2016-10-11 5:18	119.249.54.75	: 11: [preauth]	36	2016-10-11 7:55	119.249.54.88	: 11: [preauth]
17	2016-10-11 5:18	121.18.238.114	: 11: [preauth]	37	2016-10-11 8:01	221.194.47.208	: 11: [preauth]
18	2016-10-11 5:25	221.194.47.224	: 11: [preauth]	38	2016-10-11 8:03	121.18.238.104	: 11: [preauth]
19	2016-10-11 5:26	119.249.54.66	: 11: [preauth]	39	2016-10-11 8:04	119.249.54.75	: 11: [preauth]
20	2016-10-11 5:29	221.194.47.229	: 11: [preauth]

It is better to block those IP in block /24:
For iptables:
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 119.249.54.0/24 -j DROP
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 121.18.238.0/24 -j DROP
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 221.194.47.0/24 -j DROP
If you don't have business with them just block all incoming connection from them:
# iptables -A INPUT -s 119.249.54.0/24 -j DROP
# iptables -A INPUT -s 121.18.238.0/24 -j DROP
# iptables -A INPUT s 221.194.47.0/24 -j DROP
If you install ipset follow this to setup ipset, and download ipset to block ssh black list from here

My Notes

Tuesday, October 11, 2016

China DDOS SSH 2016-10-11 Involving 12 IPs

No comments:

Post a Comment