Blocking brute forcer with multiple IPs in range

Question

A few weeks ago, I allowed my Linux Server to be connected from the internet for development purposes. My networking knowledge is quite basic. Following some guidelines on securing Linux servers, I have installed Fail2Ban and I also disabled root logins from SSH.

Currently, I am receiving tons of emails from Fail2Ban about a few IPs within a range that keeps getting blocked. I have max retry set to 3 and a grace time of 60 seconds, block is permanent. However, they can bypass that by changing their IP by a small deviation and then they would try again and get blocked.

How is it possible for them to even change their IP addresses? Do they own a range of IP addresses or something?

I have Fail2Ban set to do a whois search on the banned IP in the email. There is a section called "inetsum" that comes up first. Here is an example output of one of the repeated IPs that keep coming back.

inetnum: 221.192.0.0 - 221.195.255.255

What does inetnum mean? Is that the range of IP addresses that the person owns? Should I just block that instead? Or is that the IP range of the internet service provider?

Here is an image of the IP addresses:

Answer 1

The inetnum and range come from the following IP whois information and simply represents the IP range used for BGP by the Internet Service Provider.

The changing of IP addresses could actually be a number of different things but it could simply be them using a pool of IP's from the ISP, a Chinese bot net or a group of Tor exit nodes (unlikely but possible, and something you could look up).

In any case, you need to stop this. It's great that you have Fail2Ban setup but it would be wise to move your SSH daemon to a high port (I recommend above TCP/30000)

Likewise as @tlng05 mentioned switch from password only to public-key authentication if you can as that tends to stop a lot of brute forcing. Note: when doing this make sure password auth is really disabled and not an option after public-key authentication times out.

If your organization has no business from China you could block that IP range for a few days but I don't generally recommend blocking countries except in very specific cases.

Finally it may be worth setting up a honey pot with a bad password on SSH to see what the attackers next steps will be and also waste more of their time (increase their cost of attacking).

It's worth e-mailing the abuse@ e-mail they provide in their IP Whois results but there is no guarantee anything will be done. Some providers are great at helping to block things like this others will ignore your request. None the less it's wise to do so if you have time (BTW: I've seen this automated).

Can you limit access to this host from certain source IP addresses ? If so that would allow you to block 99% of the Internet which would be a much better solution.

Likewise connecting to a jump-server via VPN first would also help. (Many ways to solve this problem).

If it's an option one way or another you definitely want to block that attacker and watch for their return.

IP Whois results from looking up one of the IP's you listed:

Source: whois.apnic.netIP Address: 221.194.44.223 (China)
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '221.192.0.0 - 221.195.255.255'

inetnum:        221.192.0.0 - 221.195.255.255
netname:        UNICOM-HE
descr:          China Unicom Hebei Province Network
descr:          China Unicom
country:        CN
admin-c:        CH1302-AP
tech-c:         KL984-AP
remarks:        service provider
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CNCGROUP-HE
mnt-routes:     MAINT-CNCGROUP-RR
status:         ALLOCATED PORTABLE
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        --------------------------------------------------------
mnt-irt:        IRT-CU-CN
changed:        hm-changed@apnic.net 20040329
changed:        hm-changed@apnic.net 20060124
changed:        hm-changed@apnic.net 20060125
changed:        hm-changed@apnic.net 20080314
changed:        hm-changed@apnic.net 20090508
source:         APNIC

irt:            IRT-CU-CN
address:        No.21,Jin-Rong Street
address:        Beijing,100140
address:        P.R.China
e-mail:         zhouxm@chinaunicom.cn
abuse-mailbox:  zhouxm@chinaunicom.cn
admin-c:        CH1302-AP
tech-c:         CH1302-AP
auth:           # Filtered
mnt-by:         MAINT-CNCGROUP
changed:        zhouxm@chinaunicom.cn 20101110
changed:        hm-changed@apnic.net 20101116
source:         APNIC

person:         ChinaUnicom Hostmaster
nic-hdl:        CH1302-AP
e-mail:         abuse@cnc-noc.net
address:        No.21,Jin-Rong Street
address:        Beijing,100033
address:        P.R.China
phone:          +86-10-66259764
fax-no:         +86-10-66259764
country:        CN
changed:        abuse@cnc-noc.net 20090408
mnt-by:         MAINT-CNCGROUP
source:         APNIC

person:         Kong Lingfei
nic-hdl:        KL984-AP
e-mail:         konglf5@chinaunicom.cn
address:        45, Guang An Street, Shi Jiazhuang City, HeBei Province,050011,CN
phone:          +86-311-86681601
fax-no:         +86-311-86689210
country:        cn
changed:        konglf5@chinaunicom.cn 20090206
mnt-by:         MAINT-CNCGROUP-HE
source:         APNIC

% Information related to '221.192.0.0/14AS4837'

route:          221.192.0.0/14
descr:          CNC Group CHINA169 Hebei Province Network
country:        CN
origin:         AS4837
mnt-by:         MAINT-CNCGROUP-RR
changed:        abuse@cnc-noc.net 20060118
source:         APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)