I have logwatch installed on two servers with ssh ruuning on port 22 (I need to run on port 22 cos the uni blocks other ports and won't unblock other ports unless it is for an academic reason.)
I get stuff like this every day from the servers.
- Code: Select all
Didn't receive an ident from these IPs:
22.214.171.124: 1 Time(s)
126.96.36.199 (ns2.anpr.org.br): 1 Time(s)
188.8.131.52 (host-23-xx.hcm.fpt.vn): 1 Time(s)
184.108.40.206: 1 Time(s)
Failed logins from:
220.127.116.11 (67-115-155-230.sfpl.org): 6 times
root/password: 6 times
18.104.22.168 (e82-103-130-33s.easyspeedy.com): 3 times
root/password: 3 times
22.214.171.124: 5 times
root/password: 5 times
126.96.36.199 (host-23-xx.hcm.fpt.vn): 1 time
root/password: 1 time
Illegal users from:
188.8.131.52: 1 time
oracle: 1 time
184.108.40.206: 3 times
ant: 1 time
office: 1 time
pc: 1 time
220.127.116.11: 1 time
ant: 1 time
So does anyone know of an automated tool to look up info about the ip address and send an email reporting the attack to the valid email for the ip address. I'm currently doing it by hand.
Or is not worth bothering.
Also is there a black list i should be reporting these ip address to?