Arch Linux

Pat

Member

Registered: 2014-02-17

Posts: 10

SSHD Reverse mapping checking "getaddrinfo"

I've been seeing this a lot in my logs, but none since I setup my firewall, fail2ban and sshguard. Just curious as to what this is, annd it is a bit concerning that it says POSSIBLE BREAK-IN ATTEMPT at the end of the entry.

Scanning through my logind logs, it doesn't appear as if any unauthorized user was able to login.

Feb 17 19:33:15 mizzoucapital sshd[4911]: reverse mapping checking getaddrinfo for 223.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.223] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 18 12:17:34 mizzoucapital sshd[28460]: Address 66.23.231.237 maps to getprohost.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 18 12:32:16 mizzoucapital sshd[29443]: Address 66.23.231.237 maps to getprohost.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 19 19:07:21 mizzoucapital sshd[17500]: reverse mapping checking getaddrinfo for 223.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.223] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 19 19:07:31 mizzoucapital sshd[17503]: reverse mapping checking getaddrinfo for 223.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.223] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 15:19:00 mizzoucapital sshd[31643]: reverse mapping checking getaddrinfo for 197.49.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.49.197] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 15:19:16 mizzoucapital sshd[31675]: reverse mapping checking getaddrinfo for 197.49.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.49.197] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 16:53:20 mizzoucapital sshd[4988]: Address 77.245.75.219 maps to 219-75-245-77.rackcentre.redstation.net.uk, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 16:53:23 mizzoucapital sshd[4990]: Address 77.245.75.219 maps to 219-75-245-77.rackcentre.redstation.net.uk, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 16:53:26 mizzoucapital sshd[4992]: Address 77.245.75.219 maps to 219-75-245-77.rackcentre.redstation.net.uk, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 16:53:29 mizzoucapital sshd[4994]: Address 77.245.75.219 maps to 219-75-245-77.rackcentre.redstation.net.uk, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 16:53:32 mizzoucapital sshd[4997]: Address 77.245.75.219 maps to 219-75-245-77.rackcentre.redstation.net.uk, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 18:11:14 mizzoucapital sshd[13179]: reverse mapping checking getaddrinfo for 206.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.206] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 18:18:39 mizzoucapital sshd[14000]: reverse mapping checking getaddrinfo for 197.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.197] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 18:18:48 mizzoucapital sshd[14003]: reverse mapping checking getaddrinfo for 197.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.197] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 22:40:30 mizzoucapital sshd[8558]: reverse mapping checking getaddrinfo for abts-kk-dynamic-244.211.166.122.airtelbroadband.in [122.166.211.244] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 22:40:35 mizzoucapital sshd[8560]: reverse mapping checking getaddrinfo for abts-kk-dynamic-244.211.166.122.airtelbroadband.in [122.166.211.244] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 20 22:40:40 mizzoucapital sshd[8563]: reverse mapping checking getaddrinfo for abts-kk-dynamic-244.211.166.122.airtelbroadband.in [122.166.211.244] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 05:49:25 mizzoucapital sshd[2643]: Address 192.241.148.224 maps to peterhagman.webbutveckling.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 05:49:28 mizzoucapital sshd[2645]: Address 192.241.148.224 maps to peterhagman.webbutveckling.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 05:49:31 mizzoucapital sshd[2647]: Address 192.241.148.224 maps to peterhagman.webbutveckling.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 05:49:33 mizzoucapital sshd[2679]: Address 192.241.148.224 maps to peterhagman.webbutveckling.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 05:49:36 mizzoucapital sshd[2682]: Address 192.241.148.224 maps to peterhagman.webbutveckling.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 14:29:35 mizzoucapital sshd[3041]: reverse mapping checking getaddrinfo for reserve.cableplus.com.cn [219.233.195.44] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 14:29:40 mizzoucapital sshd[3043]: reverse mapping checking getaddrinfo for reserve.cableplus.com.cn [219.233.195.44] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 14:29:43 mizzoucapital sshd[3076]: reverse mapping checking getaddrinfo for reserve.cableplus.com.cn [219.233.195.44] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 14:29:47 mizzoucapital sshd[3078]: reverse mapping checking getaddrinfo for reserve.cableplus.com.cn [219.233.195.44] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 14:29:51 mizzoucapital sshd[3080]: reverse mapping checking getaddrinfo for reserve.cableplus.com.cn [219.233.195.44] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 21:39:48 mizzoucapital sshd[30417]: reverse mapping checking getaddrinfo for 179.89.26.218.internet.sx.cn [218.26.89.179] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 21:39:54 mizzoucapital sshd[30419]: reverse mapping checking getaddrinfo for 179.89.26.218.internet.sx.cn [218.26.89.179] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 21:53:55 mizzoucapital sshd[31269]: reverse mapping checking getaddrinfo for 209.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.209] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 21:54:06 mizzoucapital sshd[31302]: reverse mapping checking getaddrinfo for 209.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.209] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 22 00:40:41 mizzoucapital sshd[9207]: reverse mapping checking getaddrinfo for 212.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.212] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 22 00:40:50 mizzoucapital sshd[9210]: reverse mapping checking getaddrinfo for 212.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.212] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 22 10:18:54 mizzoucapital sshd[12396]: reverse mapping checking getaddrinfo for 212.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.212] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 22 10:19:04 mizzoucapital sshd[12429]: reverse mapping checking getaddrinfo for 212.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.212] failed - POSSIBLE BREAK-IN ATTEMPT!

ewaller

Administrator

From: Pasadena, CA

Registered: 2009-07-13

Posts: 20,354

Re: SSHD Reverse mapping checking "getaddrinfo"

Is that output everything, or did you run it through grep?  Yes, someone is trying to break in to your system, and they are trying to spoof their address.  The address pair I checked wants you to think they are in the UK, but they are in Japan.

Usually, there is a brute force password attack associated with these.  Do you allow passwords, or do you require key pairs?

Last edited by ewaller (2014-02-22 21:15:47)

---

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Pat

Member

Registered: 2014-02-17

Posts: 10

Re: SSHD Reverse mapping checking "getaddrinfo"

I used this command to produce the output above: journalctl --no-pager | grep "POSSIBLE BREAK-IN"

I've seen a lot of traffic from toyko, malaysia and hong kong

I used this command to spit out the top failed password attempts

journalctl --no-pager | grep -i "failed password" | grep -Eo "([0-9]{1,3}\.)[0-9]{1,3}" | sort | uniq -c | sort -nr | head

 6662 219.133.33.59
   1863 106.186.24.66
    962 37.205.198.162
    668 192.3.150.132
    516 218.59.184.154
    513 61.183.15.105
    392 97.74.92.181
    392 108.168.207.195
    347 218.2.22.134
    324 61.147.70.29

They did try brute forcing before i had setup my firewall / f2b / sshg. Now they can't get very far. Most of them try to login as root, which you cannot do on my server, but even still, my root password is insane and brute force would take a very long time to get it.

I often see these same people talk to my dns service. I'm assuming they're just sweeping an IP addresses in America using low level methods

I'm just curious what "reverse mapping checking getaddrinfo" means though since i havent seen that since i setup the firewall/ f2b / sshg services.