On 04.12.18 17:51, Michael Stauber wrote:
Hi Meaulnes,
# added 83.76.86.xxx on 12/04/18 12:09:33 with comment: dFixblock2
#83.76.86.xxx
It would be interesting to see why you got blocked in first place. The
logfile /var/log/secure or /var/log/messages has more info on that.
# less /var/log/secure | grep 83.76.86.xxx
Dec 3 13:37:41 vs sshd[2067]: Accepted password for root from 83.76.86.xxx
port 64321 ssh2
Dec 3 14:29:59 vs sshd[2067]: Received disconnect from 83.76.86.xxx port
64321:11: disconnected by user
Dec 3 14:29:59 vs sshd[2067]: Disconnected from 83.76.86.xxx port 64321
Dec 3 14:30:07 vs sshd[8076]: Accepted password for root from 83.76.86.xxx
port 65345 ssh2
Dec 3 16:21:02 vs sshd[20793]: Accepted password for root from 83.76.86.xxx
port 50320 ssh2
Dec 3 18:53:12 vs sshd[6062]: Connection closed by 83.76.86.xxx port 52402
[preauth]
Dec 4 07:23:52 vs sshd[26926]: Accepted password for root from 83.76.86.xxx
port 57483 ssh2
Dec 4 07:43:26 vs sshd[26926]: Received disconnect from 83.76.86.xxx port
57483:11: disconnected by user
Dec 4 07:43:26 vs sshd[26926]: Disconnected from 83.76.86.xxx port 57483
Dec 4 07:47:37 vs sshd[28629]: Accepted password for root from 83.76.86.xxx
port 57648 ssh2
Dec 4 08:11:56 vs sshd[28629]: Received disconnect from 83.76.86.xxx port
57648:11: disconnected by user
Dec 4 08:11:56 vs sshd[28629]: Disconnected from 83.76.86.xxx port 57648
Dec 4 12:09:33 vs sshd[16055]: Failed password for root from 83.76.86.xxx port
59640 ssh2
Dec 4 12:31:20 vs sshd[22456]: Accepted password for root from 83.76.86.xxx
port 59828 ssh2
Dec 4 13:00:48 vs sshd[22456]: Received disconnect from 83.76.86.xxx port
59828:11: disconnected by user
Dec 4 13:00:48 vs sshd[22456]: Disconnected from 83.76.86.xxx port 59828
Dec 4 15:56:40 vs sshd[11876]: Accepted password for root from 83.76.86.xxx
port 61100 ssh2
Dec 4 17:49:28 vs sshd[21364]: Accepted password for root from 83.76.86.xxx
port 49728 ssh2
Dec 4 19:52:24 vs sshd[21364]: Received disconnect from 83.76.86.xxx port
49728:11: disconnected by user
Dec 4 19:52:24 vs sshd[21364]: Disconnected from 83.76.86.xxx port 49728
I don't see anything special except maybe the [preauth] line... Here the
adjacent lines:
Dec 3 18:49:25 vs auth: pam_unix(dovecot:auth): authentication failure;
logname= uid=0 euid=0 tty=dovecot ruser=gast rhost=89.248.162.159
Dec 3 18:52:59 vs sshd[29989]: Received disconnect from 94.103.my.ip port
39294:11: disconnected by user
Dec 3 18:52:59 vs sshd[29989]: Disconnected from 94.103.my.ip port 39294
Dec 3 18:52:59 vs sshd[29989]: pam_unix(sshd:session): session closed for user
root
Dec 3 18:53:12 vs sshd[6062]: Connection closed by 83.76.86.xxx port 52402
[preauth]
Dec 3 18:54:10 vs auth: pam_unix(dovecot:auth): authentication failure;
logname= uid=0 euid=0 tty=dovecot ruser=operator rhost=89.248.162.159
user=operator
/var/log/messages looks pretty harmless:
# less /var/log/messages | grep 83.76.86.xxx
Dec 2 14:30:35 vs apf: apf(13325): {trust IPv4} allow all to/from 83.76.86.xxx
Dec 2 14:31:25 vs apf: apf(15388): {trust IPv4} allow all to/from 83.76.86.xxx
Dec 2 15:42:05 vs apf: apf(22135): {trust IPv4} allow all to/from 83.76.86.xxx
Dec 2 15:42:24 vs apf: apf(24164): {trust IPv4} allow all to/from 83.76.86.xxx
Dec 3 13:31:24 vs apf: apf(32208): {trust IPv4} allow all to/from 83.76.86.xxx
Dec 3 17:58:25 vs apf: apf(32315): {trust IPv4} allow all to/from 83.76.86.xxx
Dec 4 12:12:00 vs apf: apf(18790): {trust IPv4} allow all to/from 83.76.86.xxx
Dec 4 15:43:57 vs apf: apf(9099): {trust IPv4} allow all to/from 83.76.86.xxx
Other than that: Please consider uninstall Dfix2 and to switch to
Fail2ban, whose ruleset causes fewer false positives and detects more stuff.
will do.
Thank you Michael
_~_
'¿')
`-´ Meaulnes Legler
Zurich, Switzerland
+41¦0 44 260 16 60
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
