I run a private server that I use for all sorts of tasks (webserver, sftp, ssh,vpn personal cloud etc), on wich I keep a close eye, when it comes to
traffic. Normally that is a couple of chinese and/or someone from malasia. However, recently there has been a shift towards U.S. based IP's. Most of
them are from random places and networks, but today I came across one that tickled my radar.
This one came straight from Microsoft, trying to gain access to the ssh server. It could mean that some non MS person gained acces to a terminal, but
why my little old ssh server? And if it is a person working for MS, it's even more suspicious. I didn't think that breaking in to personal computers
and servers, was brought to me by Microsoft. Anyway, here is the full trace:
The IP 137.135.12.202 has just been banned by Fail2Ban after
3 attempts against ssh.
Here are more information about 137.135.12.202:
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at:
www.arin.net...
#
#
# The following results may also be obtained via:
#
whois.arin.net...;q=137.135.12.202?showDetails=true&showARIN=false&ext=netref2
#
NetRange: 137.135.0.0 - 137.135.255.255
CIDR: 137.135.0.0/16
OriginAS:
NetName: NTMTV
NetHandle: NET-137-135-0-0-1
Parent: NET-137-0-0-0-0
NetType: Direct Assignment
RegDate: 2011-06-22
Updated: 2012-10-16
Ref:
whois.arin.net...
OrgName: Microsoft Corp
OrgId: MSFT-Z
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 2011-06-22
Updated: 2013-04-12
Ref:
whois.arin.net...
OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail:
[email protected]
OrgNOCRef:
whois.arin.net...
OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName: MSN ABUSE
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail:
[email protected]
OrgAbuseRef:
whois.arin.net...
OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail:
[email protected]
OrgAbuseRef:
whois.arin.net...
OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail:
[email protected]
OrgTechRef:
whois.arin.net...
OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName: Hotmail Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail:
[email protected]
OrgAbuseRef:
whois.arin.net...
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at:
www.arin.net...
#
Regards,
Fail2Ban
Is there anyone here that runs a server, asside from the obvious, like ATS? And if so, do you check your logs frequently? What are your findings?
Also, I would encourage anyone who's running a server, to check their logs or have them checked by something like fail2ban.
fail2ban.