Fail2Ban on Solaris OpenIndiana - what is wrong here?

Antworten
Benutzeravatar
tuklu_san
Beiträge: 7
Registriert: 21. Jul 2016, 18:09

Fail2Ban on Solaris OpenIndiana - what is wrong here?

Beitrag von tuklu_san » 26. Sep 2016, 17:22

Hi,

I run a Solaris 11 openindiana Server (ID 4393) and have managed to configure fail2ban to send emails out to fail2ban@dyn.blocklist.de with what seems to me to have the necessary authlog lines included. However I do not see them having any effect on the server stats in my account at blocklist.de.

I am dumping an example recent email sent out below, with my email ID replaced below with ### for obvious reasons. Any help or pointers to what is broken here will be appreciated. Is it fail2ban email servers are rejecting the emails based on riseup's headers flagging spam IP addresses (which is the whole point)? Do I need to get my email white-listed somehow at blocklist.de? If so, how? Or something else entirely? Thanks in advance.

--- Example of email sent out to fail2ban@dyn.blocklist.de ----

Code: Alles auswählen

Return-Path: <###@riseup.net>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on vireo.riseup.net
X-Spam-Flag: YES
X-Spam-Level: *********
X-Spam-Report: 
    * 1.9 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
    * blocklist
    * [URIs: n--5h59ckxma.com]
    * 0.6 URIBL_SBL Contains an URL's NS IP listed in the SBL blocklist
    * [URIs: n--e.com]
    * 0.0 MAILPHISH3 BODY: mention of a password
    * 0.1 RISEUP_SPEAR_P BODY: Email Contains password
    * 0.1 PHISH_ACC3 BODY: Account details - officious
    * 0.1 RISEUP_SPEAR_F BODY: Email Contains failure
    * 0.1 NO_REAL_NAME From: does not include a real name
    * 0.1 URIBL_SBL_A Contains URL's A record listed in the SBL blocklist
    * [URIs: n--e.com]
    * 0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
    * [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=###%40riseup.net;ip=103.47.205.226;r=vireo.riseup.net]
    * 0.0 INTL_PHONE BODY: Looks like international phone contact, poss RU
    * 0.0 ODD_PUNCTUATION2 BODY: general bad punctuation as in 419s
    * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    * valid
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    * 0.0 CK_419SIZE typical 419 size - avoid matches in long text
    * 0.1 TO_NOREAL no real name(s), maybe not list
    * -0.1 AM_TRUNCATED Compensate on large message for misfiring rules
    * 5.0 RISEUP_SPF_TRUE Claims to be from riseup, but is not
    * 0.0 TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF
    * failed
    * 0.0 FILL_THIS_FORM Fill in a form with personal information
X-Spam-Pyzor: Reported 0 times.
X-Spam-Status: Yes, score=9.1 required=9.0 tests=AM_TRUNCATED,CK_419SIZE,
    DKIM_SIGNED,DKIM_VALID,FILL_THIS_FORM,INTL_PHONE,MAILPHISH3,NO_REAL_NAME,
    ODD_PUNCTUATION2,PHISH_ACC3,RISEUP_SPEAR_F,RISEUP_SPEAR_P,RISEUP_SPF_TRUE,
    SPF_FAIL,TO_EQ_FM_DOM_SPF_FAIL,TO_NOREAL,URIBL_ABUSE_SURBL,URIBL_SBL,
    URIBL_SBL_A shortcircuit=no autolearn=disabled version=3.4.0
Delivered-To: ###@riseup.net
Received: from mx1.riseup.net (unknown [10.0.1.33])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
    by vireo.riseup.net (Postfix) with ESMTPS id A985695
    for <###@riseup.net>; Mon, 26 Sep 2016 05:53:50 +0000 (UTC)
Received: from a2i482.smtp2go.com (a2i482.smtp2go.com [103.47.205.226])
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
    (Client did not present a certificate)
    by mx1.riseup.net (Postfix) with ESMTPS id CBF2B1A1C0A
    for <###@riseup.net>; Mon, 26 Sep 2016 05:53:49 +0000 (UTC)
Authentication-Results: mx1.riseup.net; dkim=pass
    reason="2048-bit key; unprotected key"
    header.d=smtpcorp.com header.i=@smtpcorp.com header.b=h+7AgV6O;
    dkim-adsp=none (unprotected policy); dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=smtpcorp.com; s=a0-2; h=Feedback-ID:X-Smtpcorp-Track:Subject:To:Message-Id:
    From:Date:List-Unsubscribe:Reply-To;
    bh=wJ8Iko9AaxNKTarcMwa3fgqOmZbkDTJYXibQS9noea8=; b=h+7AgV6OQssNYU8/5B8ufO6evr
    uZKGKF+wn6/E3uzwCMUNreYwQU12oZKJjTkfotiJ7CBZd3a1eeIOBBNJsYd/7qUls0VvOA2y0ixo/
    P3wrmT5COx6RYzok1W8VJfR0S70Ixu+LPEXi9TQVnJ2sD6RcRo6SmODaeQ7svEddapYQiMvBCp9TS
    gsGqFAqAwNuFsTH57HhzSaQ1m0dpzNgmCV6FDMjqwJ0YyqaLxDThIDIBXppAN6nh68KwP6NDEmF1q
    Gv5QfFsPL8kdvpYNZ8QZZKCUiYa42fkkq2K7V4GYsEwClgrDBrmYFMaIG4JJsxqSBB8R2chzHo0Na
    +npQmmFA==;
X-Virus-Scanned: amavisd-new at 
Date: Mon, 26 Sep 2016 05:53:26 GMT
From: ###@riseup.net
Message-Id: <201609260553.u8Q5rQuE008191@anubis-solaris.sanyalnet.lan>
To: fail2ban@dyn.blocklist.de, ###@riseup.net
Subject: ***SPAM*** [Fail2Ban] SSHD: 162.220.166.163 banned on anubis-solaris.sanyalnet.lan
X-Smtpcorp-Track: 1PoOr7095jzfCL.6effOjVf3
Feedback-ID: 155438m:155438amvttof:155438suOKpm36vk:SMTPCORP
X-Report-Abuse: Please forward a copy of this message, including all
    headers, to <abuse@smtp2go.com>
X-Spam-Prev-Subject: [Fail2Ban] SSHD: 162.220.166.163 banned on anubis-solaris.sanyalnet.lan
Message Body
Hi,

The IP 162.220.166.163 has just been banned by Fail2Ban after 4 attempts against SSHD.

Lines containing IP:162.220.166.163 in /var/adm/auth.log

Sep 26 05:53:05 anubis-solaris.sanyalnet.lan sshd[8178]: [ID 800047 auth.info] Did not receive identification string from 162.220.166.163
Sep 26 05:53:10 anubis-solaris.sanyalnet.lan sshd[8179]: [ID 800047 auth.info] User adm from 162.220.166.163 not allowed because not listed in AllowUsers
Sep 26 05:53:10 anubis-solaris.sanyalnet.lan sshd[8179]: [ID 800047 auth.info] Failed password for invalid user adm from 162.220.166.163 port 61276 ssh2
Sep 26 05:53:10 anubis-solaris.sanyalnet.lan sshd[8179]: [ID 800047 auth.info] Received disconnect from 162.220.166.163 port 61276:11: Bye Bye [preauth]
Sep 26 05:53:10 anubis-solaris.sanyalnet.lan sshd[8179]: [ID 800047 auth.info] Disconnected from 162.220.166.163 port 61276 [preauth]
Sep 26 05:53:23 anubis-solaris.sanyalnet.lan sshd[8181]: [ID 800047 auth.info] User adm from 162.220.166.163 not allowed because not listed in AllowUsers
Sep 26 05:53:23 anubis-solaris.sanyalnet.lan sshd[8181]: [ID 800047 auth.info] Failed password for invalid user adm from 162.220.166.163 port 62028 ssh2
Sep 26 05:53:23 anubis-solaris.sanyalnet.lan sshd[8181]: [ID 800047 auth.info] Received disconnect from 162.220.166.163 port 62028:11: Bye Bye [preauth]
Sep 26 05:53:23 anubis-solaris.sanyalnet.lan sshd[8181]: [ID 800047 auth.info] Disconnected from 162.220.166.163 port 62028 [preauth]

Here is more information about 162.220.166.163 :


Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Aborting search 50 records found .....
N--1.COM
N--12CS6ABLACD5EDDTADBAW3FXG0B0ABQ2HZI.COM
N--5H59CKXMA.COM
N--8.COM
N--A--O.COM
N--A.COM
N--API700-104-PP6PP38BJP3OM3H.COM
N--ATIVE.COM
N--B.COM
N--C.COM
N--COM.COM
N--D.COM
N--E--D.COM
N--E.COM
N--F.COM
N--FIQY33B0HAN91G.COM
N--G.COM
N--GZGZ-5QAC.NET
N--H.COM
N--I.COM
N--I.NET
N--J.COM
N--K.COM
N--L.COM
N--LIGHTS.COM
N--LINK.NET
N--LOG.NET
N--LY.COM
N--M--N.COM
N--M.COM
N--N.COM
N--N.NET
N--NN.COM
N--O--T--E.COM
N--O.COM
N--P.COM
N--P.NET
N--POWER.COM
N--Q.COM
N--R--T.COM
N--R.COM
N--S.COM
N--S.NET
N--SKRA-VARJE-UNGE-0KB.COM
N--STAR.COM
N--T.COM
N--TREE.NET
N--U.COM
N--V.COM
N--VISION.COM

To single out one record, look it up with "xxx", where xxx is one of the
records displayed above. If the records are the same, look them up
with "=xxx" to receive a full display for each record.

Last update of whois database: Mon, 26 Sep 2016 05:53:13 GMT <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 162.220.166.163"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=162.220.166.163?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       162.220.160.0 - 162.220.167.255
CIDR:           162.220.160.0/21
NetName:        INTERSERVER
NetHandle:      NET-162-220-160-0-1
Parent:         NET162 (NET-162-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS19318
Organization:   Interserver, Inc (INTER-83)
RegDate:        2013-08-28
Updated:        2013-08-28
Ref:            https://whois.arin.net/rest/net/NET-162-220-160-0-1


OrgName:        Interserver, Inc
OrgId:          INTER-83
Address:        110 Meadowlands Pkwy
Address:        1st Floor
City:           Secaucus
StateProv:      NJ
PostalCode:     07094
Country:        US
RegDate:        2003-03-17
Updated:        2009-12-01
Comment:        Please Use abuse@interserver.net for all abuse complaints
Ref:            https://whois.arin.net/rest/org/INTER-83

ReferralServer:  rwhois://rwhois.trouble-free.net:4321

OrgTechHandle: NOC1390-ARIN
OrgTechName:   Network Operations Center
OrgTechPhone:  +1-201-605-1440
OrgTechEmail:  network@interserver.net
OrgTechRef:    https://whois.arin.net/rest/poc/NOC1390-ARIN

OrgNOCHandle: NOC1390-ARIN
OrgNOCName:   Network Operations Center
OrgNOCPhone:  +1-201-605-1440
OrgNOCEmail:  network@interserver.net
OrgNOCRef:    https://whois.arin.net/rest/poc/NOC1390-ARIN

OrgAbuseHandle: NOC1390-ARIN
OrgAbuseName:   Network Operations Center
OrgAbusePhone:  +1-201-605-1440
OrgAbuseEmail:  network@interserver.net
OrgAbuseRef:    https://whois.arin.net/rest/poc/NOC1390-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#whoisprogram
--
Public IP Blocklist: http://sanyalnet-cloud-vps.freeddns.org/blocklist.txt

Benutzeravatar
Martin
Beiträge: 400
Registriert: 14. Sep 2010, 11:54
Kontaktdaten:

Re: Fail2Ban on Solaris OpenIndiana - what is wrong here?

Beitrag von Martin » 28. Sep 2016, 11:46

Hi Tuklus_san,

sorry for the delay.
I will check the log and answer/write you again later.
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service

Benutzeravatar
tuklu_san
Beiträge: 7
Registriert: 21. Jul 2016, 18:09

Re: Fail2Ban on Solaris OpenIndiana - what is wrong here?

Beitrag von tuklu_san » 29. Sep 2016, 19:31

Thanks Martin. Here is another one sent out just now, if it helps.

Code: Alles auswählen

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on vireo.riseup.net
X-Spam-Level: ********
X-Spam-Pyzor: Reported 0 times.
X-Spam-Status: No, score=8.7 required=9.0 tests=AM_TRUNCATED,DKIM_SIGNED,
    DKIM_VALID,FILL_THIS_FORM,INTL_PHONE,LINK_NR_TOP,MAILPHISH3,NO_REAL_NAME,
    ODD_PUNCTUATION2,PHISH_ACC3,PHISH_THREAT2,RISEUP_SPEAR_F,RISEUP_SPEAR_P,
    RISEUP_SPF_TRUE,SPF_FAIL,TO_EQ_FM_DOM_SPF_FAIL,TO_NOREAL,URIBL_GOLD,URIBL_SBL,
    URIBL_SBL_A shortcircuit=no autolearn=disabled version=3.4.0
Delivered-To: #####@riseup.net
Received: from mx1.riseup.net (unknown [10.0.1.33])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
    by vireo.riseup.net (Postfix) with ESMTPS id 7B0EAAA
    for <#####@riseup.net>; Thu, 29 Sep 2016 18:18:00 +0000 (UTC)
Received: from a2i482.smtp2go.com (a2i482.smtp2go.com [103.47.205.226])
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
    (Client did not present a certificate)
    by mx1.riseup.net (Postfix) with ESMTPS id D039E1A1B2C
    for <#####@riseup.net>; Thu, 29 Sep 2016 18:17:59 +0000 (UTC)
Authentication-Results: mx1.riseup.net; dkim=pass
    reason="2048-bit key; unprotected key"
    header.d=smtpcorp.com header.i=@smtpcorp.com header.b=wsNyOB84;
    dkim-adsp=none (unprotected policy); dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=smtpcorp.com; s=a0-2; h=Feedback-ID:X-Smtpcorp-Track:Subject:To:Message-Id:
    From:Date:List-Unsubscribe:Reply-To;
    bh=plpBHns7zaziJMf816LsXwdVGCPU71yzCqa0gfQUnyI=; b=wsNyOB845vwtVCA0CyYcjpUKGF
    bMptager+P9hrCecMZLRe5r63rprXLAMm3q+68d0A5Udj+JRfH5g8gRtdzXsYjnVs0rSZB/EhQdrk
    YLaTiHLDEUtd1I2ckNFoN/cCR1OpzPY3s8HMUSV98DDtFMrnDu/z/eCIVaHvXvAf9em/I06KCTlgk
    I8bsHTar4vFAPmENymjabQm400X5bfEpSwkI9o4+lPw12lPrfGgd3F6YJsOawJ4ig+4D+7q47eA+f
    umiiEWSuJvdbU1rNoUoOrMCInYljAv4nbKnqKtNU/PG/mm1aCoUL5eUXD76dCxHvyOtyfA0csAeBS
    ZjIUbTHA==;
X-Virus-Scanned: amavisd-new at 
Date: Thu, 29 Sep 2016 18:17:38 GMT
From: #####@riseup.net
Message-Id: <201609291817.u8TIHcIt016691@anubis-solaris.sanyalnet.lan>
To: fail2ban@dyn.blocklist.de, #####@riseup.net
Subject: [Fail2Ban] SSHD: 109.168.100.166 banned on anubis-solaris.sanyalnet.lan
X-Smtpcorp-Track: 1PpfI1NRKK8yGx.7RreLPFTi
Feedback-ID: 155438m:155438amvttof:155438sUeMRmBy05:SMTPCORP
X-Report-Abuse: Please forward a copy of this message, including all
    headers, to <abuse@smtp2go.com>
Message Body
Hi,

The IP 109.168.100.166 has just been banned by Fail2Ban after 5 attempts against SSHD.

Lines containing IP:109.168.100.166 in /var/adm/auth.log

Sep 29 18:17:28 anubis-solaris.sanyalnet.lan sshd[16668]: [ID 800047 auth.info] Did not receive identification string from 109.168.100.166
Sep 29 18:17:30 anubis-solaris.sanyalnet.lan sshd[16669]: [ID 800047 auth.info] Invalid user user from 109.168.100.166
Sep 29 18:17:30 anubis-solaris.sanyalnet.lan sshd[16669]: [ID 800047 auth.info] Failed password for invalid user user from 109.168.100.166 port 42503 ssh2
Sep 29 18:17:30 anubis-solaris.sanyalnet.lan sshd[16669]: [ID 800047 auth.info] Postponed keyboard-interactive for invalid user user from 109.168.100.166 port 42503 ssh2 [preauth]
Sep 29 18:17:30 anubis-solaris.sanyalnet.lan sshd[16669]: [ID 800047 auth.error] error: PAM: No account present for user for illegal user user from 109.168.100.166
Sep 29 18:17:30 anubis-solaris.sanyalnet.lan sshd[16669]: [ID 800047 auth.info] Failed keyboard-interactive/pam for invalid user user from 109.168.100.166 port 42503 ssh2
Sep 29 18:17:31 anubis-solaris.sanyalnet.lan sshd[16669]: [ID 800047 auth.info] Connection closed by 109.168.100.166 port 42503 [preauth]
Sep 29 18:17:32 anubis-solaris.sanyalnet.lan sshd[16672]: [ID 800047 auth.info] Invalid user support from 109.168.100.166
Sep 29 18:17:32 anubis-solaris.sanyalnet.lan sshd[16672]: [ID 800047 auth.info] Failed password for invalid user support from 109.168.100.166 port 42589 ssh2
Sep 29 18:17:32 anubis-solaris.sanyalnet.lan sshd[16672]: [ID 800047 auth.info] Postponed keyboard-interactive for invalid user support from 109.168.100.166 port 42589 ssh2 [preauth]
Sep 29 18:17:33 anubis-solaris.sanyalnet.lan sshd[16672]: [ID 800047 auth.error] error: PAM: No account present for user for illegal user support from 109.168.100.166
Sep 29 18:17:33 anubis-solaris.sanyalnet.lan sshd[16672]: [ID 800047 auth.info] Failed keyboard-interactive/pam for invalid user support from 109.168.100.166 port 42589 ssh2
Sep 29 18:17:33 anubis-solaris.sanyalnet.lan sshd[16672]: [ID 800047 auth.info] Connection closed by 109.168.100.166 port 42589 [preauth]
Sep 29 18:17:34 anubis-solaris.sanyalnet.lan sshd[16675]: [ID 800047 auth.info] Invalid user administrator from 109.168.100.166
Sep 29 18:17:34 anubis-solaris.sanyalnet.lan sshd[16675]: [ID 800047 auth.info] Failed password for invalid user administrator from 109.168.100.166 port 42685 ssh2
Sep 29 18:17:34 anubis-solaris.sanyalnet.lan sshd[16675]: [ID 800047 auth.info] Postponed keyboard-interactive for invalid user administrator from 109.168.100.166 port 42685 ssh2 [preauth]
Sep 29 18:17:34 anubis-solaris.sanyalnet.lan sshd[16675]: [ID 800047 auth.error] error: PAM: No account present for user for illegal user administrator from 109.168.100.166
Sep 29 18:17:34 anubis-solaris.sanyalnet.lan sshd[16675]: [ID 800047 auth.info] Failed keyboard-interactive/pam for invalid user administrator from 109.168.100.166 port 42685 ssh2
Sep 29 18:17:34 anubis-solaris.sanyalnet.lan sshd[16675]: [ID 800047 auth.info] Connection closed by 109.168.100.166 port 42685 [preauth]
Sep 29 18:17:35 anubis-solaris.sanyalnet.lan sshd[16678]: [ID 800047 auth.info] Invalid user fax from 109.168.100.166
Sep 29 18:17:36 anubis-solaris.sanyalnet.lan sshd[16678]: [ID 800047 auth.info] Failed password for invalid user fax from 109.168.100.166 port 42745 ssh2
Sep 29 18:17:36 anubis-solaris.sanyalnet.lan sshd[16678]: [ID 800047 auth.info] Postponed keyboard-interactive for invalid user fax from 109.168.100.166 port 42745 ssh2 [preauth]
Sep 29 18:17:36 anubis-solaris.sanyalnet.lan sshd[16678]: [ID 800047 auth.error] error: PAM: No account present for user for illegal user fax from 109.168.100.166
Sep 29 18:17:36 anubis-solaris.sanyalnet.lan sshd[16678]: [ID 800047 auth.info] Failed keyboard-interactive/pam for invalid user fax from 109.168.100.166 port 42745 ssh2
Sep 29 18:17:37 anubis-solaris.sanyalnet.lan sshd[16678]: [ID 800047 auth.info] Connection closed by 109.168.100.166 port 42745 [preauth]

Here is more information about 109.168.100.166 :


Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Aborting search 50 records found .....
N--1.COM
N--12CS6ABLACD5EDDTADBAW3FXG0B0ABQ2HZI.COM
N--5H59CKXMA.COM
N--8.COM
N--A--O.COM
N--A.COM
N--API700-104-PP6PP38BJP3OM3H.COM
N--ATIVE.COM
N--B.COM
N--C.COM
N--COM.COM
N--D.COM
N--E--D.COM
N--E.COM
N--F.COM
N--FIQY33B0HAN91G.COM
N--G.COM
N--GZGZ-5QAC.NET
N--H.COM
N--I.COM
N--I.NET
N--J.COM
N--K.COM
N--L.COM
N--LIGHTS.COM
N--LINK.NET
N--LOG.NET
N--LY.COM
N--M--N.COM
N--M.COM
N--N.COM
N--N.NET
N--NN.COM
N--O--T--E.COM
N--O.COM
N--P.COM
N--P.NET
N--POWER.COM
N--Q.COM
N--R--T.COM
N--R.COM
N--S.COM
N--S.NET
N--SKRA-VARJE-UNGE-0KB.COM
N--STAR.COM
N--T.COM
N--TREE.NET
N--U.COM
N--V.COM
N--VISION.COM

To single out one record, look it up with "xxx", where xxx is one of the
records displayed above. If the records are the same, look them up
with "=xxx" to receive a full display for each record.

Last update of whois database: Thu, 29 Sep 2016 18:17:20 GMT <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 109.168.100.166"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=109.168.100.166?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       109.0.0.0 - 109.255.255.255
CIDR:           109.0.0.0/8
NetName:        109-RIPE
NetHandle:      NET-109-0-0-0-1
Parent:          ()
NetType:        Allocated to RIPE NCC
OriginAS:
Organization:   RIPE Network Coordination Centre (RIPE)
RegDate:        2009-01-30
Updated:        2009-05-18
Comment:        These addresses have been further assigned to users in
Comment:        the RIPE NCC region. Contact information can be found in
Comment:        the RIPE database at http://www.ripe.net/whois
Ref:            https://whois.arin.net/rest/net/NET-109-0-0-0-1

ResourceLink:  https://apps.db.ripe.net/search/query.html
ResourceLink:  whois.ripe.net

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
StateProv:
PostalCode:     1001EB
Country:        NL
RegDate:
Updated:        2013-07-29
Ref:            https://whois.arin.net/rest/org/RIPE

ReferralServer:  whois://whois.ripe.net
ResourceLink:  https://apps.db.ripe.net/search/query.html

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName:   Abuse Contact
OrgAbusePhone:  +31205354444
OrgAbuseEmail:  abuse@ripe.net
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE3850-ARIN

OrgTechHandle: RNO29-ARIN
OrgTechName:   RIPE NCC Operations
OrgTechPhone:  +31 20 535 4444
OrgTechEmail:  hostmaster@ripe.net
OrgTechRef:    https://whois.arin.net/rest/poc/RNO29-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '109.168.100.160 - 109.168.100.175'

% Abuse contact for '109.168.100.160 - 109.168.100.175' is 'abuse@kpnqwest.it'

inetnum:        109.168.100.160 - 109.168.100.175
netname:        K-SEC8-SECUREONLINEDESKTOPSRL
descr:          SECURE ONLINE DESKTOP SRL
descr:          REGGIO EMILIA RE
country:        IT
admin-c:        MF641-RIPE
tech-c:         PL1350-RIPE
tech-c:         MV957-RIPE
remarks:        ---------------------------------
remarks:        Abuse and SPAM: abuse@kpnqwest.it
remarks:        ---------------------------------
status:         ASSIGNED PA
mnt-by:         AS5602-MNT
created:        2012-09-10T10:28:15Z
last-modified:  2016-02-16T15:38:09Z
source:         RIPE # Filtered

person:         Marco Fiorentino
address:        KPNQwest Italia S.p.a.
address:        Via Leopardi, 9
address:        I-20123 Milano - Italy
phone:          +39 02 438191
fax-no:         +39 02 48013716
nic-hdl:        MF641-RIPE
mnt-by:         AS5602-MNT
created:        1970-01-01T00:00:00Z
last-modified:  2003-08-01T08:13:27Z
source:         RIPE # Filtered

person:         Network Team
address:        KPNQwest Italia S.p.a.
address:        via Leopardi, 9
address:        I-20123 Milano - MI
address:        Italy
phone:          +39 02 438191
fax-no:         +39 02 48013716
nic-hdl:        MV957-RIPE
mnt-by:         AS5602-MNT
created:        2002-09-04T11:49:49Z
last-modified:  2015-03-26T09:28:32Z
source:         RIPE # Filtered

person:         Paolo Livio
address:        KPNQwest Italia SpA
address:        via Leopardi, 9
address:        I-20123 Milano - MI
address:        Italy
phone:          +39 02 438191
fax-no:         +39 02 48013716
nic-hdl:        PL1350-RIPE
mnt-by:         AS5602-MNT
created:        2003-02-26T11:56:34Z
last-modified:  2013-03-01T13:07:32Z
source:         RIPE # Filtered

% Information related to '109.168.0.0/17AS5602'

route:          109.168.0.0/17
descr:          KPNQwest Italia S.p.a. netblock
origin:         AS5602
mnt-by:         AS5602-MNT
created:        2009-11-02T17:25:01Z
last-modified:  2009-11-02T17:25:01Z
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.87.4 (ANGUS)whoisprogram
--
Public IP Blocklist: http://sanyalnet-cloud-vps.freeddns.org/blocklist.txt
Bild

Benutzeravatar
Martin
Beiträge: 400
Registriert: 14. Sep 2010, 11:54
Kontaktdaten:

Re: Fail2Ban on Solaris OpenIndiana - what is wrong here?

Beitrag von Martin » 29. Sep 2016, 21:27

Hi tuklu_san,

sorry for the delay.
I have found the Problem and deployed a patch for them.
Can you please send/post me the Subject of a new Report again, which was send after 29.09.2016 22:30 +0200?
Then i can look, if it works right and correctly.
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service

Benutzeravatar
tuklu_san
Beiträge: 7
Registriert: 21. Jul 2016, 18:09

Re: Fail2Ban on Solaris OpenIndiana - what is wrong here?

Beitrag von tuklu_san » 2. Okt 2016, 01:24

thanks Martin. Here is an email that just went out.

just curious - is the openindiana's different layout of the fields in the logs that caused the problem?

Code: Alles auswählen

Return-Path: <#####@riseup.net>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on vireo.riseup.net
X-Spam-Level: ******
X-Spam-Pyzor: Reported 0 times.
X-Spam-Status: No, score=6.4 required=9.0 tests=AM_TRUNCATED,DKIM_SIGNED,
	DKIM_VALID,FILL_THIS_FORM,INTL_PHONE,MAILPHISH3,NO_REAL_NAME,ODD_PUNCTUATION2,
	PHISH_ACC3,PHISH_THREAT2,RISEUP_SPEAR_F,RISEUP_SPEAR_P,RISEUP_SPF_TRUE,
	SPF_FAIL,TO_EQ_FM_DOM_SPF_FAIL,TO_NOREAL shortcircuit=no autolearn=disabled
	version=3.4.0
Delivered-To: #####@riseup.net
Received: from mx1.riseup.net (unknown [10.0.1.33])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
	by vireo.riseup.net (Postfix) with ESMTPS id AEFB895
	for <#####@riseup.net>; Sat,  1 Oct 2016 22:31:46 +0000 (UTC)
Received: from a2i482.smtp2go.com (a2i482.smtp2go.com [103.47.205.226])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mx1.riseup.net (Postfix) with ESMTPS id F3EFA1A1B31
	for <#####@riseup.net>; Sat,  1 Oct 2016 22:31:45 +0000 (UTC)
Authentication-Results: mx1.riseup.net; dkim=pass
	reason="2048-bit key; unprotected key"
	header.d=smtpcorp.com header.i=@smtpcorp.com header.b=T4ccA77B;
	dkim-adsp=none (unprotected policy); dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=smtpcorp.com; s=a0-2; h=Feedback-ID:X-Smtpcorp-Track:Subject:To:Message-Id:
	From:Date:List-Unsubscribe:Reply-To;
	bh=YmQ0DLfyRD8EFIKmz3r/Brt6xfActN5b29HwOR9Lz9E=; b=T4ccA77BAIRbun57PXUx2ZfuUE
	jyLBY6v/2604KzlYLfgSUzLjKoIaz4+YWwGH7RxKa4HirDxtaRRtfUvz1UiKUBvUApa9v0DGNIx2v
	dGLS+4r3gsPDl7mYjkoXk9cUG4F5KO0kk12fX5GouM50K+xmhm/E271nmmdVNe3G/45O4wTnQii0v
	Lyx5F0clR5wDxZUXi0CdlqAKQHXBsmHCbv2KRS4SK4VpTs9JiAx4W97obYZx11Kl01WHncArNpCRK
	K8ACNvyJKlvNM5dNZc5D0DDTHg+m5PKWxYhyeUKGyQIxTrT8FVh4YX8x2LCC1iicrC83nt56HpeEg
	Il5RYe6Q==;
X-Virus-Scanned: amavisd-new at 
Date: Sat, 1 Oct 2016 22:31:21 GMT
From: #####@riseup.net
Message-Id: <201610012231.u91MVLHT021389@anubis-solaris.sanyalnet.lan>
To: fail2ban@dyn.blocklist.de, #####@riseup.net
Subject: [Fail2Ban] SSHD: 90.54.47.141 banned on anubis-solaris.sanyalnet.lan
X-Smtpcorp-Track: 1PqSoPmk-zV25U.8H_D5he7x
Feedback-ID: 155438m:155438amvttof:155438s3Om22fvU7:SMTPCORP
X-Report-Abuse: Please forward a copy of this message, including all
 headers, to <abuse@smtp2go.com>

Hi,

The IP 90.54.47.141 has just been banned by Fail2Ban after 12 attempts against SSHD.

Lines containing IP:90.54.47.141 in /var/adm/auth.log

Oct  1 22:31:10 anubis-solaris.sanyalnet.lan sshd[21357]: [ID 800047 auth.info] Did not receive identification string from 90.54.47.141
Oct  1 22:31:11 anubis-solaris.sanyalnet.lan sshd[21358]: [ID 800047 auth.info] User root from 90.54.47.141 not allowed because not listed in AllowUsers
Oct  1 22:31:11 anubis-solaris.sanyalnet.lan sshd[21358]: [ID 800047 auth.info] Failed password for invalid user root from 90.54.47.141 port 38336 ssh2
Oct  1 22:31:12 anubis-solaris.sanyalnet.lan sshd[21358]: [ID 800047 auth.info] Postponed keyboard-interactive for invalid user root from 90.54.47.141 port 38336 ssh2 [preauth]
Oct  1 22:31:12 anubis-solaris.sanyalnet.lan sshd[21358]: [ID 800047 auth.error] error: PAM: Authentication failed for illegal user root from 90.54.47.141
Oct  1 22:31:12 anubis-solaris.sanyalnet.lan sshd[21358]: [ID 800047 auth.info] Failed keyboard-interactive/pam for invalid user root from 90.54.47.141 port 38336 ssh2
Oct  1 22:31:12 anubis-solaris.sanyalnet.lan sshd[21358]: [ID 800047 auth.info] Connection closed by 90.54.47.141 port 38336 [preauth]
Oct  1 22:31:13 anubis-solaris.sanyalnet.lan sshd[21361]: [ID 800047 auth.info] Invalid user user from 90.54.47.141
Oct  1 22:31:13 anubis-solaris.sanyalnet.lan sshd[21361]: [ID 800047 auth.info] Failed password for invalid user user from 90.54.47.141 port 38422 ssh2
Oct  1 22:31:13 anubis-solaris.sanyalnet.lan sshd[21361]: [ID 800047 auth.info] Postponed keyboard-interactive for invalid user user from 90.54.47.141 port 38422 ssh2 [preauth]
Oct  1 22:31:13 anubis-solaris.sanyalnet.lan sshd[21361]: [ID 800047 auth.error] error: PAM: No account present for user for illegal user user from 90.54.47.141
Oct  1 22:31:13 anubis-solaris.sanyalnet.lan sshd[21361]: [ID 800047 auth.info] Failed keyboard-interactive/pam for invalid user user from 90.54.47.141 port 38422 ssh2
Oct  1 22:31:13 anubis-solaris.sanyalnet.lan sshd[21361]: [ID 800047 auth.info] Connection closed by 90.54.47.141 port 38422 [preauth]
Oct  1 22:31:14 anubis-solaris.sanyalnet.lan sshd[21364]: [ID 800047 auth.info] User root from 90.54.47.141 not allowed because not listed in AllowUsers
Oct  1 22:31:14 anubis-solaris.sanyalnet.lan sshd[21364]: [ID 800047 auth.info] Failed password for invalid user root from 90.54.47.141 port 38457 ssh2
Oct  1 22:31:15 anubis-solaris.sanyalnet.lan sshd[21364]: [ID 800047 auth.info] Postponed keyboard-interactive for invalid user root from 90.54.47.141 port 38457 ssh2 [preauth]
Oct  1 22:31:15 anubis-solaris.sanyalnet.lan sshd[21364]: [ID 800047 auth.error] error: PAM: Authentication failed for illegal user root from 90.54.47.141
Oct  1 22:31:15 anubis-solaris.sanyalnet.lan sshd[21364]: [ID 800047 auth.info] Failed keyboard-interactive/pam for invalid user root from 90.54.47.141 port 38457 ssh2
Oct  1 22:31:15 anubis-solaris.sanyalnet.lan sshd[21364]: [ID 800047 auth.info] Connection closed by 90.54.47.141 port 38457 [preauth]
Oct  1 22:31:16 anubis-solaris.sanyalnet.lan sshd[21367]: [ID 800047 auth.info] User root from 90.54.47.141 not allowed because not listed in AllowUsers
Oct  1 22:31:16 anubis-solaris.sanyalnet.lan sshd[21367]: [ID 800047 auth.info] Failed password for invalid user root from 90.54.47.141 port 38528 ssh2
Oct  1 22:31:16 anubis-solaris.sanyalnet.lan sshd[21367]: [ID 800047 auth.info] Postponed keyboard-interactive for invalid user root from 90.54.47.141 port 38528 ssh2 [preauth]
Oct  1 22:31:16 anubis-solaris.sanyalnet.lan sshd[21367]: [ID 800047 auth.error] error: PAM: Authentication failed for illegal user root from 90.54.47.141
Oct  1 22:31:16 anubis-solaris.sanyalnet.lan sshd[21367]: [ID 800047 auth.info] Failed keyboard-interactive/pam for invalid user root from 90.54.47.141 port 38528 ssh2
Oct  1 22:31:16 anubis-solaris.sanyalnet.lan sshd[21367]: [ID 800047 auth.info] Connection closed by 90.54.47.141 port 38528 [preauth]
Oct  1 22:31:17 anubis-solaris.sanyalnet.lan sshd[21370]: [ID 800047 auth.info] Invalid user admin from 90.54.47.141
Oct  1 22:31:17 anubis-solaris.sanyalnet.lan sshd[21370]: [ID 800047 auth.info] Failed password for invalid user admin from 90.54.47.141 port 38566 ssh2
Oct  1 22:31:17 anubis-solaris.sanyalnet.lan sshd[21370]: [ID 800047 auth.info] Postponed keyboard-interactive for invalid user admin from 90.54.47.141 port 38566 ssh2 [preauth]
Oct  1 22:31:18 anubis-solaris.sanyalnet.lan sshd[21370]: [ID 800047 auth.error] error: PAM: No account present for user for illegal user admin from 90.54.47.141
Oct  1 22:31:18 anubis-solaris.sanyalnet.lan sshd[21370]: [ID 800047 auth.info] Failed keyboard-interactive/pam for invalid user admin from 90.54.47.141 port 38566 ssh2
Oct  1 22:31:18 anubis-solaris.sanyalnet.lan sshd[21370]: [ID 800047 auth.info] Connection closed by 90.54.47.141 port 38566 [preauth]
Oct  1 22:31:18 anubis-solaris.sanyalnet.lan sshd[21373]: [ID 800047 auth.info] Invalid user admin from 90.54.47.141
Oct  1 22:31:19 anubis-solaris.sanyalnet.lan sshd[21373]: [ID 800047 auth.info] Failed password for invalid user admin from 90.54.47.141 port 38604 ssh2
Oct  1 22:31:19 anubis-solaris.sanyalnet.lan sshd[21373]: [ID 800047 auth.info] Postponed keyboard-interactive for invalid user admin from 90.54.47.141 port 38604 ssh2 [preauth]
Oct  1 22:31:19 anubis-solaris.sanyalnet.lan sshd[21373]: [ID 800047 auth.error] error: PAM: No account present for user for illegal user admin from 90.54.47.141
Oct  1 22:31:19 anubis-solaris.sanyalnet.lan sshd[21373]: [ID 800047 auth.info] Failed keyboard-interactive/pam for invalid user admin from 90.54.47.141 port 38604 ssh2
Oct  1 22:31:19 anubis-solaris.sanyalnet.lan sshd[21373]: [ID 800047 auth.info] Connection closed by 90.54.47.141 port 38604 [preauth]

Here is more information about 90.54.47.141 :


Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Aborting search 50 records found .....
N--1.COM
N--12CS6ABLACD5EDDTADBAW3FXG0B0ABQ2HZI.COM
N--5H59CKXMA.COM
N--8.COM
N--A--O.COM
N--A.COM
N--API700-104-PP6PP38BJP3OM3H.COM
N--ATIVE.COM
N--B.COM
N--C.COM
N--COM.COM
N--D.COM
N--E--D.COM
N--E.COM
N--F.COM
N--FIQY33B0HAN91G.COM
N--G.COM
N--GZGZ-5QAC.NET
N--H.COM
N--I.COM
N--I.NET
N--J.COM
N--K.COM
N--L.COM
N--LIGHTS.COM
N--LINK.NET
N--LOG.NET
N--LY.COM
N--M--N.COM
N--M.COM
N--N.COM
N--N.NET
N--NN.COM
N--O--T--E.COM
N--O.COM
N--P.COM
N--P.NET
N--POWER.COM
N--Q.COM
N--R--T.COM
N--R.COM
N--S.COM
N--S.NET
N--SKRA-VARJE-UNGE-0KB.COM
N--STAR.COM
N--T.COM
N--TREE.NET
N--U.COM
N--V.COM
N--VISION.COM

To single out one record, look it up with "xxx", where xxx is one of the
records displayed above. If the records are the same, look them up
with "=xxx" to receive a full display for each record.

>>> Last update of whois database: Sat, 01 Oct 2016 22:31:11 GMT <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 90.54.47.141"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=90.54.47.141?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       90.0.0.0 - 90.255.255.255
CIDR:           90.0.0.0/8
NetName:        90-RIPE
NetHandle:      NET-90-0-0-0-1
Parent:          ()
NetType:        Allocated to RIPE NCC
OriginAS:
Organization:   RIPE Network Coordination Centre (RIPE)
RegDate:        2005-06-30
Updated:        2009-05-18
Comment:        These addresses have been further assigned to users in
Comment:        the RIPE NCC region. Contact information can be found in
Comment:        the RIPE database at http://www.ripe.net/whois
Ref:            https://whois.arin.net/rest/net/NET-90-0-0-0-1

ResourceLink:  https://apps.db.ripe.net/search/query.html
ResourceLink:  whois.ripe.net

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
StateProv:
PostalCode:     1001EB
Country:        NL
RegDate:
Updated:        2013-07-29
Ref:            https://whois.arin.net/rest/org/RIPE

ReferralServer:  whois://whois.ripe.net
ResourceLink:  https://apps.db.ripe.net/search/query.html

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName:   Abuse Contact
OrgAbusePhone:  +31205354444
OrgAbuseEmail:  abuse@ripe.net
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE3850-ARIN

OrgTechHandle: RNO29-ARIN
OrgTechName:   RIPE NCC Operations
OrgTechPhone:  +31 20 535 4444
OrgTechEmail:  hostmaster@ripe.net
OrgTechRef:    https://whois.arin.net/rest/poc/RNO29-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '90.54.47.0 - 90.54.47.255'

% Abuse contact for '90.54.47.0 - 90.54.47.255' is 'gestionip.ft@orange.com'

inetnum:        90.54.47.0 - 90.54.47.255
netname:        IP2000-ADSL-BAS
descr:          BSNAN653 Nantes Bloc 1
country:        FR
admin-c:        WITR1-RIPE
tech-c:         WITR1-RIPE
status:         ASSIGNED PA
remarks:        for hacking, spamming or security problems send mail to
remarks:        abuse@orange.fr
mnt-by:         FT-BRX
created:        2007-10-03T11:56:55Z
last-modified:  2012-01-20T13:40:41Z
source:         RIPE

role:           Wanadoo France Technical Role
address:        FRANCE TELECOM/SCR
address:        48 rue Camille Desmoulins
address:        92791 ISSY LES MOULINEAUX CEDEX 9
address:        FR
phone:          +33 1 58 88 50 00
abuse-mailbox:  abuse@orange.fr
admin-c:        BRX1-RIPE
tech-c:         BRX1-RIPE
nic-hdl:        WITR1-RIPE
mnt-by:         FT-BRX
created:        2001-12-04T17:57:08Z
last-modified:  2013-07-16T14:09:50Z
source:         RIPE # Filtered

% Information related to '90.54.0.0/16AS3215'

route:          90.54.0.0/16
descr:          France Telecom IP2000-ADSL-BAS
origin:         AS3215
mnt-by:         FT-BRX
created:        2012-12-11T10:10:38Z
last-modified:  2012-12-11T10:10:38Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.87.4 (BLAARKOP)whoisprogram

--
Public IP Blocklist: http://sanyalnet-cloud-vps.freeddns.org/blocklist.txt
Bild

Benutzeravatar
tuklu_san
Beiträge: 7
Registriert: 21. Jul 2016, 18:09

Re: Fail2Ban on Solaris OpenIndiana - what is wrong here?

Beitrag von tuklu_san » 4. Okt 2016, 07:21

another one ...

Code: Alles auswählen

Return-Path: <#####@riseup.net>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on vireo.riseup.net
X-Spam-Level: ********
X-Spam-Pyzor: Reported 0 times.
X-Spam-Status: No, score=8.0 required=9.0 tests=AM_TRUNCATED,CK_419SIZE,
	DKIM_SIGNED,DKIM_VALID,FILL_THIS_FORM,INTL_PHONE,LINK_NR_TOP,MAILPHISH3,
	NO_REAL_NAME,ODD_PUNCTUATION2,PHISH_ACC3,PHISH_THREAT2,RISEUP_SPEAR_F,
	RISEUP_SPEAR_P,RISEUP_SPF_TRUE,SPF_FAIL,TO_EQ_FM_DOM_SPF_FAIL,TO_NOREAL,
	URIBL_GOLD shortcircuit=no autolearn=disabled version=3.4.0
Delivered-To: #####@riseup.net
Received: from mx1.riseup.net (unknown [10.0.1.33])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
	by vireo.riseup.net (Postfix) with ESMTPS id 2304799
	for <#####@riseup.net>; Sun,  2 Oct 2016 11:04:11 +0000 (UTC)
Received: from a2i482.smtp2go.com (a2i482.smtp2go.com [103.47.205.226])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mx1.riseup.net (Postfix) with ESMTPS id 94E301A150F
	for <#####@riseup.net>; Sun,  2 Oct 2016 11:04:10 +0000 (UTC)
Authentication-Results: mx1.riseup.net; dkim=pass
	reason="2048-bit key; unprotected key"
	header.d=smtpcorp.com header.i=@smtpcorp.com header.b=MzVilFza;
	dkim-adsp=none (unprotected policy); dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=smtpcorp.com; s=a0-2; h=Feedback-ID:X-Smtpcorp-Track:Subject:To:Message-Id:
	From:Date:List-Unsubscribe:Reply-To;
	bh=UzqrBN0CrbcdxUe4jjklkb6GBsAx1ivO1iZOgZAfow4=; b=MzVilFzagpy6T7jT+jp8bqvWmp
	Czray0+ahwGyaGO/w3y/DwJcDo1inCu6uUO3R0++LHL7T/wDI98LUemhYQUKfBQHOkddVxNV7eD5o
	ytyOnIc82s2Hoh1OzKTND6TJFcEjLjXd2rxtSmJO5Pf6qAAK1V2Fl+I9k6h+d1c9InfMWA7AoRWDY
	CDHR0pQLY46s5LTgVYTHZXJaWJo06LZ/WoxAxyomNMhKzIPwIEwEs08eIH69KsOiO82p9UzEx2OCG
	YfHqbrKMxGNbmgDia2ZU62gQVDBSuNJa8wOTPgSGGliHbDSvSDTH02jXgqUOe8VQo4HuKPRzN90vg
	8u0gcEKQ==;
X-Virus-Scanned: amavisd-new at 
Date: Sun, 2 Oct 2016 11:03:57 GMT
From: #####@riseup.net
Message-Id: <201610021103.u92B3vbd022589@anubis-solaris.sanyalnet.lan>
To: fail2ban@dyn.blocklist.de, #####@riseup.net
Subject: [Fail2Ban] SSHD: 79.23.184.236 banned on anubis-solaris.sanyalnet.lan
X-Smtpcorp-Track: 1Pq-YvNRKLhalk.8KXnJcT5q
Feedback-ID: 155438m:155438amvttof:155438s9tXfTWAfS:SMTPCORP
X-Report-Abuse: Please forward a copy of this message, including all
 headers, to <abuse@smtp2go.com>

Hi,

The IP 79.23.184.236 has just been banned by Fail2Ban after 4 attempts against SSHD.

Lines containing IP:79.23.184.236 in /var/adm/auth.log

Oct  2 10:28:18 anubis-solaris.sanyalnet.lan sshd[22531]: [ID 800047 auth.info] Did not receive identification string from 79.23.184.236
Oct  2 10:54:49 anubis-solaris.sanyalnet.lan sshd[22567]: [ID 800047 auth.info] User root from 79.23.184.236 not allowed because not listed in AllowUsers
Oct  2 10:54:49 anubis-solaris.sanyalnet.lan sshd[22567]: [ID 800047 auth.info] Failed password for invalid user root from 79.23.184.236 port 50368 ssh2
Oct  2 10:54:49 anubis-solaris.sanyalnet.lan sshd[22567]: [ID 800047 auth.info] Connection closed by 79.23.184.236 port 50368 [preauth]
Oct  2 11:03:52 anubis-solaris.sanyalnet.lan sshd[22579]: [ID 800047 auth.info] Invalid user admin from 79.23.184.236
Oct  2 11:03:52 anubis-solaris.sanyalnet.lan sshd[22579]: [ID 800047 auth.info] Failed password for invalid user admin from 79.23.184.236 port 58561 ssh2
Oct  2 11:03:52 anubis-solaris.sanyalnet.lan sshd[22579]: [ID 800047 auth.info] Connection closed by 79.23.184.236 port 58561 [preauth]

Here is more information about 79.23.184.236 :


Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Aborting search 50 records found .....
N--1.COM
N--12CS6ABLACD5EDDTADBAW3FXG0B0ABQ2HZI.COM
N--5H59CKXMA.COM
N--8.COM
N--A--O.COM
N--A.COM
N--API700-104-PP6PP38BJP3OM3H.COM
N--ATIVE.COM
N--B.COM
N--C.COM
N--COM.COM
N--D.COM
N--E--D.COM
N--E.COM
N--F.COM
N--FIQY33B0HAN91G.COM
N--G.COM
N--GZGZ-5QAC.NET
N--H.COM
N--I.COM
N--I.NET
N--J.COM
N--K.COM
N--L.COM
N--LIGHTS.COM
N--LINK.NET
N--LOG.NET
N--LY.COM
N--M--N.COM
N--M.COM
N--N.COM
N--N.NET
N--NN.COM
N--O--T--E.COM
N--O.COM
N--P.COM
N--P.NET
N--POWER.COM
N--Q.COM
N--R--T.COM
N--R.COM
N--S.COM
N--S.NET
N--SKRA-VARJE-UNGE-0KB.COM
N--STAR.COM
N--T.COM
N--TREE.NET
N--U.COM
N--V.COM
N--VISION.COM

To single out one record, look it up with "xxx", where xxx is one of the
records displayed above. If the records are the same, look them up
with "=xxx" to receive a full display for each record.

>>> Last update of whois database: Sun, 02 Oct 2016 11:03:49 GMT <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 79.23.184.236"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=79.23.184.236?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       79.0.0.0 - 79.255.255.255
CIDR:           79.0.0.0/8
NetName:        79-RIPE
NetHandle:      NET-79-0-0-0-1
Parent:          ()
NetType:        Allocated to RIPE NCC
OriginAS:
Organization:   RIPE Network Coordination Centre (RIPE)
RegDate:        2006-08-29
Updated:        2009-05-18
Comment:        These addresses have been further assigned to users in
Comment:        the RIPE NCC region. Contact information can be found in
Comment:        the RIPE database at http://www.ripe.net/whois
Ref:            https://whois.arin.net/rest/net/NET-79-0-0-0-1

ResourceLink:  https://apps.db.ripe.net/search/query.html
ResourceLink:  whois.ripe.net

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
StateProv:
PostalCode:     1001EB
Country:        NL
RegDate:
Updated:        2013-07-29
Ref:            https://whois.arin.net/rest/org/RIPE

ReferralServer:  whois://whois.ripe.net
ResourceLink:  https://apps.db.ripe.net/search/query.html

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName:   Abuse Contact
OrgAbusePhone:  +31205354444
OrgAbuseEmail:  abuse@ripe.net
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE3850-ARIN

OrgTechHandle: RNO29-ARIN
OrgTechName:   RIPE NCC Operations
OrgTechPhone:  +31 20 535 4444
OrgTechEmail:  hostmaster@ripe.net
OrgTechRef:    https://whois.arin.net/rest/poc/RNO29-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '79.23.128.0 - 79.23.255.255'

% Abuse contact for '79.23.128.0 - 79.23.255.255' is 'abuse@business.telecomitalia.it'

inetnum:        79.23.128.0 - 79.23.255.255
netname:        TELECOM-ADSL-POOL
descr:          NAS DHCP Pool TATANTO
country:        IT
admin-c:        BS104-RIPE
tech-c:         BS104-RIPE
status:         ASSIGNED PA
remarks:        INFRA-AW
mnt-by:         TIWS-MNT
mnt-lower:      TIWS-MNT
mnt-routes:     TIWS-MNT
created:        2009-12-30T15:01:16Z
last-modified:  2009-12-30T15:01:16Z
source:         RIPE

person:         BBBEASYIP STAFF
address:        Via Val Cannuta, 250
address:        00166 Roma
address:        Italy
phone:          +39 06 36881
nic-hdl:        BS104-RIPE
mnt-by:         TIWS-MNT
created:        2001-10-19T12:23:31Z
last-modified:  2013-03-07T13:41:31Z
source:         RIPE # Filtered

% Information related to '79.22.0.0/15AS3269'

route:          79.22.0.0/15
descr:          INTERBUSINESS
origin:         AS3269
mnt-by:         TIWS-MNT
mnt-routes:     INTERB-MNT
created:        2007-09-04T09:00:27Z
last-modified:  2007-09-04T09:00:27Z
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.87.4 (BLAARKOP)whoisprogram

Bild

Benutzeravatar
tuklu_san
Beiträge: 7
Registriert: 21. Jul 2016, 18:09

Re: Fail2Ban on Solaris OpenIndiana - what is wrong here?

Beitrag von tuklu_san » 21. Okt 2016, 14:41

Resolved - switched to HTTP API as suggested, am seeing the stats going up correctly now. Thank you very much Martin.

4393
ARGOS
Attacks:
5
Reports:
4
Last Attack:
21.10.2016
Bild

Benutzeravatar
tuklu_san
Beiträge: 7
Registriert: 21. Jul 2016, 18:09

Re: Fail2Ban on Solaris OpenIndiana - what is wrong here?

Beitrag von tuklu_san » 21. Okt 2016, 17:12

Hi - if anyone else is interested in fail2bann to blocklist.de from a solaris openindiana platform, I wrote up what I did in a quick and dirty post: http://supratim-sanyal.blogspot.com/201 ... on-on.html

Thanks again

--
Public IP Blocklist: http://sanyalnet-cloud-vps.freeddns.org/blocklist.txt
Bild

Antworten