[GLLUG] Maybe OT - Fail2ban and what triggers it

[Ken Smith]

Hi All,

I have a hosted CentOS VM I use for various things. I'd noticed failed 
SSH login's quite some time ago and had installed Fail2ban to thwart 
these. It works really well.

Recently, after noticing a period of fairly concerted attempts at 
logins, I have slightly modified one of its scripts so that it runs a 
stealth nmap scan of the login fail's source. The results are quite 
interesting. The majority of the failures IP addresses resolve to 
originate behind the Great Firewall and most of the sources look like 
Linux machines, often Ubuntu. Normally there's SSH, Apache and MySQL and 
quite often Samba visible, sometimes VNC and even X. If the scans 
results were largely of routers then SSH and Apache wouldn't surprise 
me, but they don't often run MySQL, Samba, VNC or X as far as I'm aware. 
The ones appearing to originate behind the Great Firewall are not 
uniform, mainly Linux but not all the same. To my surprise very few of 
the results look like Microsoft machines, I haven't ever seen RDP.

What to conclude, are the Linux machines running behind the Great 
Firewall all prone to some Malware that they run these hack attempts? 
Why not elsewhere then? I had heard that computer users in that 
environment are all required to run some type of 'health monitoring' 
application. Does the Linux version of that have some extra features?

Interesting - to me anyway....

Ken


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.