• Howdy! Welcome to our community of more than 130.000 members devoted to web hosting. This is a great place to get special offers from web hosts and post your own requests or ads. To start posting sign up here. Cheers! /Peo, FreeWebSpace.net
managed wordpress hosting

Can someone Provide me with range of chinesse ips so i can ban?

A1Owner

A1Owner

-=Host Commander=-
NLC
Hello,
This is getting annoying on my another server of mine i have been getting login attempts from china/korea , so if someone knows a complete lists of potential chinesse/korean ips that should be banned please list them , sorry i have nothing againt china or anyone from there , but it is those few people that ruin the image of the whole country .

Current login attempts as noticed are :

Code: 
>  --------------------- pam_unix Begin ------------------------ 
> 
> crond:
>    Unknown Entries:
>       session closed for user root: 311 Time(s)
>       session opened for user root by (uid=0): 311 Time(s)
> 
> sshd:
>    Authentication Failures:
>       unknown (218.188.23.45): 4935 Time(s)
>       unknown (211.230.148.87): 1674 Time(s)
>       root (218.188.23.45): 95 Time(s)
>       root (211.230.148.87): 34 Time(s)
>       gopher (218.188.23.45): 13 Time(s)
>       unknown (210.91.16.5): 12 Time(s)
>       apache (211.230.148.87): 10 Time(s)
>       adm (211.230.148.87): 9 Time(s)
>       ftp (211.230.148.87): 9 Time(s)
>       john (211.230.148.87): 9 Time(s)
>       squid (218.188.23.45): 8 Time(s)
>       mail (211.230.148.87): 7 Time(s)
>       root (210.91.16.5): 7 Time(s)
>       vcsa (218.188.23.45): 7 Time(s)
>       pcap (218.188.23.45): 6 Time(s)
>       shutdown (218.188.23.45): 6 Time(s)
>       nscd (218.188.23.45): 5 Time(s)
>       ntp (218.188.23.45): 5 Time(s)
>       webalizer (218.188.23.45): 5 Time(s)
>       adm (218.188.23.45): 4 Time(s)
>       apache (218.188.23.45): 4 Time(s)
>       daemon (218.188.23.45): 4 Time(s)
>       dave (211.230.148.87): 4 Time(s)
>       dovecot (218.188.23.45): 4 Time(s)
>       ftp (218.188.23.45): 4 Time(s)
>       games (218.188.23.45): 4 Time(s)
>       halt (218.188.23.45): 4 Time(s)
>       lp (218.188.23.45): 4 Time(s)
>       mail (218.188.23.45): 4 Time(s)
>       mailnull (218.188.23.45): 4 Time(s)
>       named (218.188.23.45): 4 Time(s)
>       news (218.188.23.45): 4 Time(s)
>       nobody (218.188.23.45): 4 Time(s)
>       operator (218.188.23.45): 4 Time(s)
>       rpc (218.188.23.45): 4 Time(s)
>       rpm (218.188.23.45): 4 Time(s)
>       smmsp (218.188.23.45): 4 Time(s)
>       sync (218.188.23.45): 4 Time(s)
>       uucp (218.188.23.45): 4 Time(s)
>       sshd (218.188.23.45): 3 Time(s)
>       bin (218.188.23.45): 2 Time(s)
>       john (210.91.16.5): 1 Time(s)
>    Invalid Users:
>       Unknown Account: 6621 Time(s)
> 
> 
>  ---------------------- pam_unix End ------------------------- 
> 
> 
>  --------------------- sendmail Begin ------------------------ 
> 
> 
> 
> Bytes Transferred: 5930
> Messages Sent:     2
> Total recipients:  2
>  ---------------------- sendmail End ------------------------- 
> 
> 
>  --------------------- SSHD Begin ------------------------ 
> 
> 
> SSHD Killed: 1 Time(s)
> 
> SSHD Started: 1 Time(s)
> 
> Failed to bind:
>    0.0.0.0 port 22 (Address already in use) : 1 Time(s)
> 
> Failed logins from these:
>    adm/password from ::ffff:211.230.148.87: 9 Time(s)
>    adm/password from ::ffff:218.188.23.45: 4 Time(s)
>    apache/password from ::ffff:211.230.148.87: 10 Time(s)
>    apache/password from ::ffff:218.188.23.45: 4 Time(s)
>    bin/password from ::ffff:218.188.23.45: 2 Time(s)
>    daemon/password from ::ffff:218.188.23.45: 4 Time(s)
>    dave/password from ::ffff:211.230.148.87: 4 Time(s)
>    dovecot/password from ::ffff:218.188.23.45: 4 Time(s)
>    ftp/password from ::ffff:211.230.148.87: 9 Time(s)
>    ftp/password from ::ffff:218.188.23.45: 4 Time(s)
>    games/password from ::ffff:218.188.23.45: 4 Time(s)
>    gopher/password from ::ffff:218.188.23.45: 13 Time(s)
>    halt/password from ::ffff:218.188.23.45: 4 Time(s)
>    john/password from ::ffff:210.91.16.5: 1 Time(s)
>    john/password from ::ffff:211.230.148.87: 9 Time(s)
>    lp/password from ::ffff:218.188.23.45: 4 Time(s)
>    mail/password from ::ffff:211.230.148.87: 7 Time(s)
>    mail/password from ::ffff:218.188.23.45: 4 Time(s)
>    mailnull/password from ::ffff:218.188.23.45: 4 Time(s)
>    named/password from ::ffff:218.188.23.45: 4 Time(s)
>    news/password from ::ffff:218.188.23.45: 4 Time(s)
>    nobody/password from ::ffff:218.188.23.45: 4 Time(s)
>    nscd/password from ::ffff:218.188.23.45: 5 Time(s)
>    ntp/password from ::ffff:218.188.23.45: 5 Time(s)
>    operator/password from ::ffff:218.188.23.45: 4 Time(s)
>    pcap/password from ::ffff:218.188.23.45: 6 Time(s)
>    root/password from ::ffff:210.91.16.5: 7 Time(s)
>    root/password from ::ffff:211.230.148.87: 34 Time(s)
>    root/password from ::ffff:218.188.23.45: 95 Time(s)
>    rpc/password from ::ffff:218.188.23.45: 4 Time(s)
>    rpm/password from ::ffff:218.188.23.45: 4 Time(s)
>    shutdown/password from ::ffff:218.188.23.45: 6 Time(s)
>    smmsp/password from ::ffff:218.188.23.45: 4 Time(s)
>    squid/password from ::ffff:218.188.23.45: 8 Time(s)
>    sshd/password from ::ffff:218.188.23.45: 3 Time(s)
>    sync/password from ::ffff:218.188.23.45: 4 Time(s)
>    uucp/password from ::ffff:218.188.23.45: 4 Time(s)
>    vcsa/password from ::ffff:218.188.23.45: 7 Time(s)
>    webalizer/password from ::ffff:218.188.23.45: 5 Time(s)
>

the lists continues and will take up 2 3 pages here if i were to post it here .
So does anyone have full ips list that should always remain banned?

There you go added few ips in banned list :
Code: 
[root@localhost apf]# iptables -I INPUT -p tcp -s 218.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 218.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 211.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p tcp -s 211.0.0.0 -j DROP
[root@localhost apf]#


Edit: Here are more ips that are banned now , all originate from either korea , malaysia, china,japan. Man dont theses guys have anything better to do?

Code: 
[root@localhost apf]# iptables -I INPUT -p tcp -s 220.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 220.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 221.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p tcp -s 221.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p tcp -s 61.152.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 61.152.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p udp -s 60.0.0.0 -j DROP
[root@localhost apf]# iptables -I INPUT -p tcp -s 60.0.0.0 -j DROP
Thanks
 
Last edited:
These are usually exploiting servers and mostly owned by the chinese govt themselves. We have a couple of them and tried complaining, its pointless.

Like you, we normally use APF to ban them.
 
Install bfd - that will take care of the problem. Switch the ssh port and use portsentry if you want max security.
 
did anybody know that there is a way in cpanel to take over ssh.... don't really feel like telling anybody here because all servers running cpanel are open notified cpanel.net
 
2xhosting.net said:
did anybody know that there is a way in cpanel to take over ssh.... don't really feel like telling anybody here because all servers running cpanel are open notified cpanel.net
Click to expand...
So, you'r the only one who noticed? Server config done badly? And what is take over? Jailshell?
 
yes, I knew, its been open knowledge on underground forums for years, however, this is a much older version of cpanel (cpanel 6 and below)
 
nope still works...... It uses cpanel. Change root password and login.. Simple hope no one finds out before cpanel releases update :crying5:
 
No cannot disable ssh cause i am hosting game servers on the said server , webhosting is done on seprate server which doesnt seem to be having much issues.
 
2xhosting.net said:
nope still works...... It uses cpanel. Change root password and login.. Simple hope no one finds out before cpanel releases update :crying5:
Click to expand...
Tell me your jokeing.
Please.
*updates cpanel*
 
I had one... Did you hardened your servers? How did they entered? Also it is not good block all country IPs via Software Firewall, isn't it? Better use HW to block.. big range of IPs.. lol Maybe I am wrong:)
 
I wouldn't block ranges of IPs unless if I really had to. Your log shows only a few IPs of breach attempts.

Did you try the following style on your APF?

"/etc/apf/apf -d 218.188.23.45 breach attempts: please go away"

BFD is installed?
 
I don't think he's using BFD... If you block IPs they'll just use different ones until they get in... Without prejudice to Geography. Get the BFD in there, AFP first! They work great together... if you really want to blast them away, I love using DOS Deflate as third supplement. You can set the timespan to ban the IPs
 
a1whs.com said:
Lol good idea how about apf -d 0.0.0.0.0 Hacker
Click to expand...

You can also try limiting SSH so it's only accessable from your IP, in your /etc/ssh/sshd_config "ListenAddress" which is probably commented.
 
You must log in or register to reply here.
Back
Top