Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Need help with hetzner ip block
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Need help with hetzner ip block

wertwert Member
in Help

I received this message today:
We have noticed that you have been using other IPs from the same subnet in
addition to the main IP mentioned in the above subject line.

As I am not a server expert I have no idea how to solve it. I did notice unsuccessful login attempt on my centos 7 ssh screen and I changed the ssh port from 22 to prevent it. I am using Ispconfig that's comes with it's own firewall.

hetzner sent me this log:

60:a4:4c:e7:1b:e2 - ge-0/0/41.0

Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.133 144.0.2.231 43410 8008 (1 packets)
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.14 144.0.2.231 61903 8008 (1 packets)
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.89 144.0.2.231 53725 8008 (1 packets)
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.10 144.0.2.231 2569 8008 (1 packets)
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.81 144.0.2.231 41927 8008 (1 packets)
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.140 144.0.2.231 16079 8008 (1 packets)
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.29 144.0.2.231 11802 8008 (1 packets)
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.147 144.0.2.231 5077 8008 (1 packets)
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.149 144.0.2.231 13443 8008 (1 packets)
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.72 144.0.2.231 62352 8008 (1 packets)
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.37 144.0.2.231 21364 8008 (1 packets)
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.15 144.0.2.231 50145 8008 (1 packets)
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.147 144.0.2.231 1221 8008 (1 packets)
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.73 144.0.2.231 28001 8008 (1 packets)
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.114 144.0.2.231 29786 8008 (1 packets)
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.49 144.0.2.231 51004 8008 (1 packets)
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.73 144.0.2.231 2154 8008 (1 packets)
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.37 144.0.2.231 46026 8008 (1 packets)
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.96 144.0.2.231 42593 8008 (1 packets)
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.114 144.0.2.231 42429 8008 (1 packets)
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.138 144.0.2.231 17026 8008 (1 packets)
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.30 144.0.2.231 63706 8008 (1 packets)
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.33 144.0.2.231 41676 8008 (1 packets)
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.73 144.0.2.231 3228 8008 (1 packets)
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/33.0
A tcp 88.198.56.154 92.126.248.186 80 50778 (1 packets)
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.107 144.0.2.231 57091 8008 (1 packets)
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.122 144.0.2.231 15875 8008 (1 packets)
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.45 144.0.2.231 64945 8008 (1 packets)
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.89 144.0.2.231 34779 8008 (1 packets)
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0
A tcp 88.198.56.59 144.0.2.231 40373 8008 (1 packets)

Can anyone point me what exactly is causing the problem and how can I block these other ip's.

thanks.

Comments

  • simonindiasimonindia Member

    Much better

    Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.133 144.0.2.231 43410 8008 (1 packets) 
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.14 144.0.2.231 61903 8008 (1 packets) 
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.89 144.0.2.231 53725 8008 (1 packets) 
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.10 144.0.2.231 2569 8008 (1 packets) 
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.81 144.0.2.231 41927 8008 (1 packets) 
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.140 144.0.2.231 16079 8008 (1 packets) 
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.29 144.0.2.231 11802 8008 (1 packets) 
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.147 144.0.2.231 5077 8008 (1 packets) 
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.149 144.0.2.231 13443 8008 (1 packets) 
Sep 26 08:31:14 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.72 144.0.2.231 62352 8008 (1 packets) 
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.37 144.0.2.231 21364 8008 (1 packets) 
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.15 144.0.2.231 50145 8008 (1 packets) 
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.147 144.0.2.231 1221 8008 (1 packets) 
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.73 144.0.2.231 28001 8008 (1 packets) 
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.114 144.0.2.231 29786 8008 (1 packets) 
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.49 144.0.2.231 51004 8008 (1 packets) 
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.73 144.0.2.231 2154 8008 (1 packets) 
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.37 144.0.2.231 46026 8008 (1 packets) 
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.96 144.0.2.231 42593 8008 (1 packets) 
Sep 26 08:31:15 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.114 144.0.2.231 42429 8008 (1 packets) 
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.138 144.0.2.231 17026 8008 (1 packets) 
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.30 144.0.2.231 63706 8008 (1 packets) 
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.33 144.0.2.231 41676 8008 (1 packets) 
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.73 144.0.2.231 3228 8008 (1 packets) 
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/33.0 A tcp 88.198.56.154 92.126.248.186 80 50778 (1 packets) 
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.107 144.0.2.231 57091 8008 (1 packets) 
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.122 144.0.2.231 15875 8008 (1 packets) 
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.45 144.0.2.231 64945 8008 (1 packets) 
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.89 144.0.2.231 34779 8008 (1 packets) 
Sep 26 08:31:16 2a01:4f8::a:13:2:552 fpc0 PFE_FW_SYSLOG_IP: %-FW: ge-0/0/41.0 A tcp 88.198.56.59 144.0.2.231 40373 8008 (1 packets)
  • FalzoFalzo Member

    that's to less information to help you with that, please be more descriptive ;-)

    do you have a server with a single IP or did you order more addon IPs or a whole subnet? if the latter how big is that subnet?

    it could be either you simply misconfigured your network settings making your server using IPs which are not assigned to it (wrong netmask etc.)...

    or if your server got compromised there might be some malware running on it spoofing those IPs not belonging to you.

    let's pretend it is the first option, then get your network settings sorted.
    anyway you should get a closer look on what's happening on your server right now, and what software may use or try to use IPs which aren't in your range...

    if you don't know what this all is about, reach out for someone who can help you with this directly or even better discontinue using unmanaged services ;-)

  • wertwert Member

    Thanks, for the reply. I got a dedicated server so I can learn linux as well, usually I use tutorials and google search to solve issues but they blocked the server without giving me time to figure out the issue.

  • deankdeank Member, Troll

    Thousands of failed login attempts have nothing to do with your issue. It happens to all severs nowadays. It's bots trying very basic login combinations to break into servers or usually WP. You should secure SSH though.

  • FalzoFalzo Member

    for interpreting the logfile:

    If I am not mistaken, this originates from any juniper routing/firewall equipment of hetzner and I'd guess the first IP per line should be the source and the second is the destination. If this is the case your server also is identified via its mac 60:a4:4c:e7:1b:e2 on port ge-0/0/41.0

    so it looks like there are a lot of outgoing connections to an IP belonging to china telecom (144.0.2..) but with different IPs from that 88.198.56.. subnet of hetzner.

    yet your server should only have and use one of those IPs.

    most probably hetzner will allow to reboot the server in rescue mode to gain access to the files.

    you might want to match the local log-entries of the bruteforce attempt against that destination in china above. also try and find files with creation/modification date not long ago. watch apache log for IP matches or unexpected paths/filenames/urls to maybe find infected files and so on...

    keep in mind there may be a lot of other ways to compromise a system anyways. if you do find something and are able to remove it properly, fine - if not it would be better to start from scratch anyways and harden the system a lot more then before. no weak passwords or even better no passwords at all if avoidable.

    btw: did you use jailkit like suggested on that tutorial? if not absolutely needed don't give ssh access to anyone. attackers gaining unpriviledged access could most probably snoop around and try to gain access to other services on that server and escalate permissions...

Sign In or Register to comment.