I just checked my email, and see this:
Return-Path: < …> X-Original-To: … Delivered-To: … Received: by atomos.longlandclan.yi.org (Postfix, from userid 0) id 67204200E27C; Sun, 13 Apr 2014 23:05:55 +1000 (EST) Subject: [Fail2Ban] SSH: banned 138.91.144.167 from atomos Date: Sun, 13 Apr 2014 13:05:55 +0000 From: Fail2Ban < …> To: … Message-Id: <20140413130556.67204200E27C@atomos.longlandclan.yi.org> Hi, The IP 138.91.144.167 has just been banned by Fail2Ban after 5 attempts against SSH. Here is more information about 138.91.144.167: # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=138.91.144.167?showDetails=true&showARIN=false&ext=netref2 # NetRange: 138.91.0.0 - 138.91.255.255 CIDR: 138.91.0.0/16 OriginAS: NetName: MICROSOFT NetHandle: NET-138-91-0-0-1 Parent: NET-138-0-0-0-0 NetType: Direct Assignment RegDate: 2011-06-22 Updated: 2013-08-20 Ref: http://whois.arin.net/rest/net/NET-138-91-0-0-1 OrgName: Microsoft Corp OrgId: MSFT-Z Address: One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country: US RegDate: 2011-06-22 Updated: 2013-10-03 Comment: To report suspected security issues specific to Comment: traffic emanating from Microsoft online services, Comment: including the distribution of malicious content Comment: or other illicit or illegal material through a Comment: Microsoft online service, please submit reports Comment: to: Comment: * https://cert.microsoft.com. Comment: Comment: For SPAM and other abuse issues, such as Microsoft Comment: Accounts, please contact: Comment: * abuse@microsoft.com. Comment: Comment: To report security vulnerabilities in Microsoft Comment: products and services, please contact: Comment: * secure@microsoft.com. Comment: Comment: For legal and law enforcement-related requests, Comment: please contact: Comment: * msndcc@microsoft.com Comment: Comment: For routing, peering or DNS issues, please Comment: contact: Comment: * IOC@microsoft.com Ref: http://whois.arin.net/rest/org/MSFT-Z OrgTechHandle: MRPD-ARIN OrgTechName: Microsoft Routing, Peering, and DNS OrgTechPhone: +1-425-882-8080 OrgTechEmail: IOC@microsoft.com OrgTechRef: http://whois.arin.net/rest/poc/MRPD-ARIN OrgAbuseHandle: MAC74-ARIN OrgAbuseName: Microsoft Abuse Contact OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: abuse@microsoft.com OrgAbuseRef: http://whois.arin.net/rest/poc/MAC74-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # Regards, Fail2Ban
atomos ~ # grep 138.91.144.167 /var/log/auth.log ; zgrep 138.91.144.167 /var/log/auth.log-20140*.gz Apr 13 23:05:40 atomos sshd[3143]: Did not receive identification string from 138.91.144.167 Apr 13 23:05:40 atomos sshd[3144]: SSH: Server;Ltype: Version;Remote: 138.91.144.167-1025;Protocol: 2.0;Client: JSCH-0.1.51 Apr 13 23:05:41 atomos sshd[3144]: SSH: Server;Ltype: Kex;Remote: 138.91.144.167-1025;Enc: aes128-ctr;MAC: hmac-md5;Comp: none [preauth] Apr 13 23:05:41 atomos sshd[3144]: SSH: Server;Ltype: Authname;Remote: 138.91.144.167-1025;Name: support [preauth] Apr 13 23:05:48 atomos sshd[3144]: Invalid user support from 138.91.144.167 Apr 13 23:05:48 atomos sshd[3144]: Postponed keyboard-interactive for invalid user support from 138.91.144.167 port 1025 ssh2 [preauth] Apr 13 23:05:49 atomos sshd[3203]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=138.91.144.167 Apr 13 23:05:51 atomos sshd[3144]: error: PAM: Authentication failure for illegal user support from 138.91.144.167 Apr 13 23:05:51 atomos sshd[3144]: Failed keyboard-interactive/pam for invalid user support from 138.91.144.16 port 1025 ssh2 Apr 13 23:05:51 atomos sshd[3144]: Postponed keyboard-interactive for invalid user support from 138.91.144.167 port 1025 ssh2 [preauth] Apr 13 23:05:51 atomos sshd[3236]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=138.91.144.167 Apr 13 23:05:54 atomos sshd[3144]: error: PAM: Authentication failure for illegal user support from 138.91.144.167 Apr 13 23:05:54 atomos sshd[3144]: Failed keyboard-interactive/pam for invalid user support from 138.91.144.16 port 1025 ssh2 Apr 13 23:05:54 atomos sshd[3144]: Received disconnect from 138.91.144.167: 3: com.jcraft.jsch.JSchException: Auth cancel [preauth]
Seriously, some dodgy ISP in Russia or Asia having a crack, I’ll ignore it. But a big company like you? I expect better behaviour.
Whois only tells part of the story…
If you grab this wad of XML and sift around, you’ll find..
I’m hopeless with doing CIDR math, but I bet your address fits in that space. It’s probably not Microsoft, it’s more likely an Azure customer.
Probably… I also observed another IP of theirs snooping around gitweb (which I don’t mind: if I did I wouldn’t have it public).
Many ISPs provide a reverse DNS that would differentiate between customer and corporate network. The way they’ve got it at the moment it’s hard to tell without digging through XML.
That’s problematic because Microsoft themselves use Azure in the same fleet of hardware and network. Seriously.