Attaque DDOS?



  • Bonjour,

    J'ai remarqué dans mes log fail2ban, une petite liste de ban qui me semble pour le moins étrange :

    2012-08-19 23:57:51,208 fail2ban.actions: WARNING [ssh] Ban 94.75.231.34
    2012-08-20 00:07:51,737 fail2ban.actions: WARNING [ssh] Unban 94.75.231.34
    2012-08-20 12:36:30,894 fail2ban.actions: WARNING [ssh] Ban 112.216.140.51
    2012-08-20 12:46:31,431 fail2ban.actions: WARNING [ssh] Unban 112.216.140.51
    2012-08-20 18:35:24,956 fail2ban.actions: WARNING [ssh] Ban 89.96.134.98
    2012-08-20 18:45:25,477 fail2ban.actions: WARNING [ssh] Unban 89.96.134.98
    2012-08-21 00:21:29,461 fail2ban.actions: WARNING [ssh] Ban 221.192.153.13
    2012-08-21 00:31:29,971 fail2ban.actions: WARNING [ssh] Unban 221.192.153.13
    2012-08-21 23:59:28,279 fail2ban.actions: WARNING [ssh] Ban 183.60.143.25
    2012-08-22 00:09:28,801 fail2ban.actions: WARNING [ssh] Unban 183.60.143.25
    2012-08-22 10:26:33,783 fail2ban.actions: WARNING [ssh] Ban 92.55.94.19
    2012-08-22 10:36:34,365 fail2ban.actions: WARNING [ssh] Unban 92.55.94.19
    2012-08-22 10:37:23,422 fail2ban.actions: WARNING [ssh] Ban 92.55.94.19
    2012-08-22 10:47:23,994 fail2ban.actions: WARNING [ssh] Unban 92.55.94.19
    2012-08-22 10:47:59,034 fail2ban.actions: WARNING [ssh] Ban 92.55.94.19
    2012-08-22 10:57:59,579 fail2ban.actions: WARNING [ssh] Unban 92.55.94.19
    2012-08-22 10:58:37,616 fail2ban.actions: WARNING [ssh] Ban 92.55.94.19
    2012-08-22 11:08:38,162 fail2ban.actions: WARNING [ssh] Unban 92.55.94.19
    2012-08-22 11:09:16,206 fail2ban.actions: WARNING [ssh] Ban 92.55.94.19
    2012-08-22 11:19:16,757 fail2ban.actions: WARNING [ssh] Unban 92.55.94.19
    2012-08-22 11:19:54,800 fail2ban.actions: WARNING [ssh] Ban 92.55.94.19
    2012-08-22 11:29:55,317 fail2ban.actions: WARNING [ssh] Unban 92.55.94.19
    2012-08-22 11:30:33,351 fail2ban.actions: WARNING [ssh] Ban 92.55.94.19
    2012-08-22 11:40:33,862 fail2ban.actions: WARNING [ssh] Unban 92.55.94.19
    2012-08-22 11:41:27,915 fail2ban.actions: WARNING [ssh] Ban 92.55.94.19
    2012-08-22 11:51:28,420 fail2ban.actions: WARNING [ssh] Unban 92.55.94.19
    2012-08-22 11:52:04,460 fail2ban.actions: WARNING [ssh] Ban 92.55.94.19
    2012-08-22 12:02:04,983 fail2ban.actions: WARNING [ssh] Unban 92.55.94.19
    2012-08-22 12:02:44,021 fail2ban.actions: WARNING [ssh] Ban 92.55.94.19
    2012-08-22 12:12:44,540 fail2ban.actions: WARNING [ssh] Unban 92.55.94.19
    2012-08-22 12:13:21,577 fail2ban.actions: WARNING [ssh] Ban 92.55.94.19
    2012-08-22 12:23:22,097 fail2ban.actions: WARNING [ssh] Unban 92.55.94.19
    

    Manifestement, ça s'est calmé, mais je ne parviens par a déterminer d'où vient cette ip.

    Voici un tracert.

    Détermination de l'itinéraire vers 92.55.94.19 avec un maximum de 30 sauts.
    
      1    <1 ms    <1 ms    <1 ms  . [192.168.1.1]
      2     8 ms     8 ms     8 ms  1.79-64-87.adsl-dyn.isp.belgacom.be [87.64.79.1]
    
      3     *        8 ms     8 ms  202.241-183-91.adsl-static.isp.belgacom.be [91.1
    83.241.202]
      4     *        *        *     Délai d'attente de la demande dépassé.
      5     8 ms     8 ms     8 ms  212.3.238.105
      6     9 ms     9 ms    13 ms  ae-0-11.bar2.Brussels1.Level3.net [4.69.148.178]
    
      7    14 ms    15 ms    13 ms  ae-7-7.ebr1.London1.Level3.net [4.69.148.182]
      8    13 ms    12 ms    13 ms  vlan103.ebr2.London1.Level3.net [4.69.143.94]
      9    24 ms    25 ms    24 ms  ae-24-24.ebr2.Frankfurt1.Level3.net [4.69.148.19
    8]
     10    34 ms    34 ms    34 ms  ae-1-12.bar1.Vienna1.Level3.net [4.69.153.145]
     11    34 ms    33 ms    34 ms  ae-0-11.bar2.Vienna1.Level3.net [4.69.153.150]
     12    44 ms    43 ms    44 ms  212.73.203.130
     13    53 ms    53 ms    52 ms  79.101.96.70
     14    53 ms    54 ms    53 ms  80.77.144.166.neotel.mk [80.77.144.166]
     15    53 ms    52 ms    52 ms  80.77.149.106.neotel.mk [80.77.149.106]
     16    54 ms    60 ms    59 ms  80.77.149.238.neotel.mk [80.77.149.238]
     17    51 ms    52 ms    52 ms  92.55.94.19
    
    Itinéraire déterminé.
    
    


  • % Information related to '92.55.94.0 - 92.55.95.255'
    
    inetnum:         92.55.94.0 - 92.55.95.255
    netname:         NEOTEL-NET
    descr:           NEOTEL-MKD Autonomous System
    country:         MK
    admin-c:         NCR6-RIPE
    tech-c:          VZ677-RIPE
    status:          ASSIGNED PA
    remarks:         INFRA-AW
    mnt-by:          MNT-NEOTEL
    source:          RIPE # Filtered
    
    role:            Neotel Contact Role
    address:         Neotel
    address:         Kuzman Josifovski Pitu 15
    address:         1000 Skopje
    address:         Macedonia
    phone:           +38925511111
    phone:           +38922402151
    fax-no:          +38925511102
    remarks:         trouble: +38925511111
    admin-c:         VZ677-RIPE
    tech-c:          MA11706-RIPE
    tech-c:          VS1908-RIPE
    mnt-by:          MNT-NEOTEL
    nic-hdl:         NCR6-RIPE
    abuse-mailbox:   abuse@neotel.com.mk
    source:          RIPE # Filtered
    
    person:         Vedran Zafirovski
    address:        Neotel
    address:        Kuzman Josifovski Pitu 15
    address:        1000 Skopje
    address:        Macedonia
    phone:          +38925511123
    fax-no:         +38925511102
    nic-hdl:        VZ677-RIPE
    mnt-by:         MNT-NEOTEL
    source:         RIPE # Filtered
    
    

  • Administrateur

    C'est du scan de port. Tu ferais mieux de changer le port par défaut de ton SSH.



  • ok je fais ça.


Log in to reply