Bored Chinese

Since putting fail2ban in place, nearly all of the brute force password attacks have been out of China, a handful from Viet Nam.

Hi,

The IP 58.215.172.27 has just been banned by Fail2Ban after
5 attempts against SSH.


Here are more information about 58.215.172.27:

[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '58.208.0.0 - 58.223.255.255'

inetnum:        58.208.0.0 - 58.223.255.255
netname:        CHINANET-JS
descr:          CHINANET jiangsu province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN
admin-c:        CH93-AP
tech-c:         CJ186-AP
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-JS
mnt-routes:     MAINT-CHINANET-JS
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:        This object can only be updated by APNIC hostmasters.
remarks:        To update this object, please contact APNIC
remarks:        hostmasters and include your organisation's account
remarks:        name in the subject line.
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
status:         ALLOCATED PORTABLE
changed:        hm-changed@apnic.net 20050624
source:         APNIC

role:           CHINANET JIANGSU
address:        260 Zhongyang Road,Nanjing 210037
country:        CN
phone:          +86-25-86588231
phone:          +86-25-86588745
fax-no:         +86-25-86588104
e-mail:         ip@jsinfo.net
remarks:        send anti-spam reports to spam@jsinfo.net
remarks:        send abuse reports to abuse@jsinfo.net
remarks:        times in GMT+8
admin-c:        CH360-AP
tech-c:         CS306-AP
tech-c:         CN142-AP
nic-hdl:        CJ186-AP
remarks:        www.jsinfo.net
notify:         ip@jsinfo.net
mnt-by:         MAINT-CHINANET-JS
changed:        dns@jsinfo.net 20090831
changed:        ip@jsinfo.net 20090831
changed:        hm-changed@apnic.net 20090901
source:         APNIC
changed:        hm-changed@apnic.net 20111114

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         anti-spam@ns.chinanet.cn.net
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
changed:        dingsy@cndata.com 20070416
changed:        zhengzm@gsta.com 20140227
mnt-by:         MAINT-CHINANET
source:         APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS1)

Regards,

Fail2Ban

Virus Warning!

There is a new virus propagating that until just now, clam-av was unaware of, and as a result there may be copies in your INBOX.

If you have an e-mail with an attachment eskimo.com.zip, DO NOT OPEN THE ZIP ATTACHMENT.

Two of three servers now have updated clam-AV database and will no longer accept this virus but I am having problems with a third server that is so choked with viruses I can’t get command line responses to update clam-AV.

This has caused outgoing mail to get stuck in queue, presently the two servers that are working are cleared and I am working on getting this one to update and clear itself.

Maintenance Outage 5/10/14 00:05-02:00

I will be rebooting and taking machines down for imaging tonight shortly after midnight.  I should be finished by approximately 2AM.

This is necessary to install kernel upgrades that fix a possible privilege escalation exploit in the kernel as well as to image the machines after adding fail2ban so that if a restoration is necessary at some point, that will get included in the restoration.

In short, these outages will enable us to make some improvements in site security as well as to backup some recently put in place.

Yahoo Accepting Mail

I have been able to confirm via the mail log, that today mail is going through to Yahoo, ATT/SBC Global, and Frontier.

Comcast is presently blocking for reasons unknown.  I’ve applied to their feedback program so I will receive e-mails of any spam they receive from us, and have submitted a response on their unblock form.

Yahoo Saga Continues…

Today, I received a bunch of bounces from applications for accounts on my Photo Gallery (CopperMine) from Yahoo addresses.

I deleted all of these that were still in queue and disabled account creation in CopperMine.

So this probably hasn’t helped our stance from Yahoo’s perspective, though it would be nice if they’d actually communicate.  It would also be helpful if they’d reject messages with the correct code, permanent rejections should use 5xx not 4xx as Yahoo is using.  Using the latter means people won’t find out there is a problem until a bounce happens perhaps weeks later, and it eats up a lot of mail resources unnecessarily on both ends.

Anyway, per their best practices pages, I’m working on getting DKIM and DMARC installed.  Not that either of these would have prevented a single spam since the spams were sent with hacked accounts, (and it’s not as if Yahoo hasn’t had their own problems with hacked accounts) and thus would have been signed as legitimate if these things had been in place, and really SPF, which is in place, serves the same purpose.

I tried e-mailing support@yahoo.com but just got referred to the same web page that doesn’t work.  Tried calling, just got referred to the same page that doesn’t work.

If anybody knows how to reach an actual human being at Yahoo that might actually care that they’re blocking legitimate e-mail, please let me know.