167.71.102.17 - - [09/Oct/2020:18:31:52 +0200] "POST /xmlrpc.php HTTP/1.1" 403 146 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [09/Oct/2020:18:37:57 +0200] "POST /xmlrpc.php HTTP/1.1" 403 146 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
...

167.71.102.17 - - [09/Oct/2020:08:22:26 +0100] "POST /wp-login.php HTTP/1.1" 200 4427 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [09/Oct/2020:08:22:28 +0100] "POST /wp-login.php HTTP/1.1" 200 4427 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [09/Oct/2020:08:22:32 +0100] "POST /wp-login.php HTTP/1.1" 200 4427 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
...

$f2bV_matches

167.71.102.17 - - [07/Aug/2020:02:39:16 +0100] "GET /wp-login.php HTTP/1.1" 401 188 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

Script detected

Trolling for resource vulnerabilities

167.71.102.17 - - [31/Aug/2020:10:52:00 +0200] "POST /wp-login.php HTTP/1.1" 200 5480 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [31/Aug/2020:10:52:02 +0200] "POST /wp-login.php HTTP/1.1" 200 5507 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [31/Aug/2020:11:14:38 +0200] "POST /wp-login.php HTTP/1.1" 200 5549 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [31/Aug/2020:11:14:40 +0200] "POST /wp-login.php HTTP/1.1" 200 5560 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [31/Aug/2020:11:14:42 +0200] "POST /wp-login.php HTTP/1.1" 200 5556 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
...

167.71.102.17 - - [24/Aug/2020:10:12:53 +0200] "GET /wp-login.php HTTP/1.1" 200 9040 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [24/Aug/2020:10:12:55 +0200] "POST /wp-login.php HTTP/1.1" 200 9291 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [24/Aug/2020:10:12:57 +0200] "POST /xmlrpc.php HTTP/1.1" 200 427 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

167.71.102.17 - - [17/Aug/2020:05:11:25 +0100] "POST /wp-login.php HTTP/1.1" 200 2420 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [17/Aug/2020:05:11:27 +0100] "POST /wp-login.php HTTP/1.1" 200 2408 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [17/Aug/2020:05:11:29 +0100] "POST /wp-login.php HTTP/1.1" 200 2440 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
...

167.71.102.17 - - [20/Jul/2020:06:08:29 +0200] "GET /wp-login.php HTTP/1.1" 200 1901 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [20/Jul/2020:06:08:30 +0200] "POST /wp-login.php HTTP/1.1" 200 2031 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [20/Jul/2020:06:08:30 +0200] "GET /wp-login.php HTTP/1.1" 200 1901 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [20/Jul/2020:06:08:30 +0200] "POST /wp-login.php HTTP/1.1" 200 2007 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [20/Jul/2020:06:08:30 +0200] "GET /wp-login.php HTTP/1.1" 200 1901 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [20/Jul/2020:06:08:31 +0200] "POST /wp-login.php HTTP/1.1" 200 2008 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Fir
...

167.71.102.17 - - [19/Jul/2020:09:36:58 +0200] "POST /xmlrpc.php HTTP/1.1" 403 10519 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [19/Jul/2020:09:59:55 +0200] "POST /xmlrpc.php HTTP/1.1" 403 461 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
...

"XSS Attack Detected via libinjection - Matched Data: XSS data found within ARGS_NAMES:

php WP PHPmyadamin ABUSE blocked for 12h

167.71.102.17 - - [25/Jun/2020:18:26:47 +0100] "POST /wp-login.php HTTP/1.1" 200 4433 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [25/Jun/2020:18:26:48 +0100] "POST /wp-login.php HTTP/1.1" 200 4433 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [25/Jun/2020:18:26:48 +0100] "POST /xmlrpc.php HTTP/1.1" 403 219 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
...

"XSS Attack Detected via libinjection - Matched Data: XSS data found within ARGS_NAMES:

167.71.102.17 - - [24/Jun/2020:08:23:53 +0100] "POST /wp-login.php HTTP/1.1" 200 2046 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [24/Jun/2020:08:23:54 +0100] "POST /wp-login.php HTTP/1.1" 200 2020 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [24/Jun/2020:08:23:58 +0100] "POST /wp-login.php HTTP/1.1" 200 2019 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
...

10 attempts against mh-misc-ban on heat

10 attempts against mh-misc-ban on comet

167.71.102.17 - - [05/Jun/2020:19:23:28 +0200] "GET /wp-login.php HTTP/1.1" 200 5861 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [05/Jun/2020:19:23:31 +0200] "POST /wp-login.php HTTP/1.1" 200 6112 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.71.102.17 - - [05/Jun/2020:19:23:32 +0200] "POST /xmlrpc.php HTTP/1.1" 200 427 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

Oct 10 20:13:14 santamaria sshd\[10702\]: pam_unix\(sshd:auth\): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=167.71.102.201  user=root
Oct 10 20:13:17 santamaria sshd\[10702\]: Failed password for root from 167.71.102.201 port 35300 ssh2
Oct 10 20:16:33 santamaria sshd\[10729\]: Invalid user ftp from 167.71.102.201
...

Oct 10 04:41:27 firewall sshd[15843]: Failed password for root from 167.71.102.201 port 53340 ssh2
Oct 10 04:45:07 firewall sshd[15911]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=167.71.102.201  user=root
Oct 10 04:45:09 firewall sshd[15911]: Failed password for root from 167.71.102.201 port 57672 ssh2
...

DATE:2020-10-08 19:03:26, IP:167.71.102.201, PORT:ssh SSH brute force auth (docker-dc)

167.71.102.201 (US/United States/-), 12 distributed sshd attacks on account [root] in the last 3600 secs

Invalid user admin from 167.71.102.201 port 48092

Aug 17 00:23:21 buvik sshd[31830]: Invalid user cjd from 167.71.102.201
Aug 17 00:23:21 buvik sshd[31830]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=167.71.102.201
Aug 17 00:23:24 buvik sshd[31830]: Failed password for invalid user cjd from 167.71.102.201 port 44530 ssh2
...

400 BAD REQUEST

*Port Scan* detected from 167.71.102.95 (US/United States/New Jersey/Clifton/-). 4 hits in the last 45 seconds

Port scan: Attack repeated for 24 hours

2020-07-26 09:20:53,722 fail2ban.actions        [18606]: NOTICE  [sshd] Ban 167.71.102.201
2020-07-26 09:36:37,578 fail2ban.actions        [18606]: NOTICE  [sshd] Ban 167.71.102.201
2020-07-26 09:52:33,611 fail2ban.actions        [18606]: NOTICE  [sshd] Ban 167.71.102.201
2020-07-26 10:08:43,738 fail2ban.actions        [18606]: NOTICE  [sshd] Ban 167.71.102.201
2020-07-26 10:24:18,413 fail2ban.actions        [18606]: NOTICE  [sshd] Ban 167.71.102.201
...

2020-07-29T15:10:23.187098abusebot-4.cloudsearch.cf sshd[5720]: Invalid user swathi from 167.71.102.201 port 32868
2020-07-29T15:10:23.193326abusebot-4.cloudsearch.cf sshd[5720]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=167.71.102.201
2020-07-29T15:10:23.187098abusebot-4.cloudsearch.cf sshd[5720]: Invalid user swathi from 167.71.102.201 port 32868
2020-07-29T15:10:24.813019abusebot-4.cloudsearch.cf sshd[5720]: Failed password for invalid user swathi from 167.71.102.201 port 32868 ssh2
2020-07-29T15:15:01.126022abusebot-4.cloudsearch.cf sshd[5840]: Invalid user ten-analytics from 167.71.102.201 port 47864
2020-07-29T15:15:01.135185abusebot-4.cloudsearch.cf sshd[5840]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=167.71.102.201
2020-07-29T15:15:01.126022abusebot-4.cloudsearch.cf sshd[5840]: Invalid user ten-analytics from 167.71.102.201 port 47864
2020-07-29T15:15:02.920375abusebot-4.cloudsearch.cf 
...

Jul 29 11:10:30 plex-server sshd[1630065]: Invalid user zf from 167.71.102.201 port 47258
Jul 29 11:10:30 plex-server sshd[1630065]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=167.71.102.201 
Jul 29 11:10:30 plex-server sshd[1630065]: Invalid user zf from 167.71.102.201 port 47258
Jul 29 11:10:33 plex-server sshd[1630065]: Failed password for invalid user zf from 167.71.102.201 port 47258 ssh2
Jul 29 11:13:44 plex-server sshd[1632246]: Invalid user rizon from 167.71.102.201 port 49842
...

SSH Brute Force

Invalid user cedric from 167.71.102.201 port 51432

2020-07-22T06:22:26.572806vps1033 sshd[13433]: Invalid user takashi from 167.71.102.201 port 58498
2020-07-22T06:22:26.578320vps1033 sshd[13433]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=167.71.102.201
2020-07-22T06:22:26.572806vps1033 sshd[13433]: Invalid user takashi from 167.71.102.201 port 58498
2020-07-22T06:22:28.657134vps1033 sshd[13433]: Failed password for invalid user takashi from 167.71.102.201 port 58498 ssh2
2020-07-22T06:24:35.022419vps1033 sshd[17982]: Invalid user mohan from 167.71.102.201 port 35306
...

Feb  6 19:52:50 debian-2gb-nbg1-2 kernel: \[3274414.847776\] \[UFW BLOCK\] IN=eth0 OUT= MAC=96:00:00:0e:18:f4:d2:74:7f:6e:37:e3:08:00 SRC=94.102.49.112 DST=195.201.40.59 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=5203 PROTO=TCP SPT=42554 DPT=30412 WINDOW=1024 RES=0x00 SYN URGP=0

$f2bV_matches

Brute force blocker - service: proftpd1 - aantal: 48 - Fri Jan 25 06:40:08 2019

$f2bV_matches

Attempt to attack host OS, exploiting network vulnerabilities, on 06-02-2020 13:40:16.

Feb  6 19:39:41 ip-172-31-62-245 sshd\[2802\]: Failed password for root from 222.186.190.17 port 21874 ssh2\
Feb  6 19:43:13 ip-172-31-62-245 sshd\[2819\]: Failed password for root from 222.186.190.17 port 24967 ssh2\
Feb  6 19:44:56 ip-172-31-62-245 sshd\[2825\]: Failed password for root from 222.186.190.17 port 53097 ssh2\
Feb  6 19:46:06 ip-172-31-62-245 sshd\[2835\]: Failed password for root from 222.186.190.17 port 19234 ssh2\
Feb  6 19:47:17 ip-172-31-62-245 sshd\[2839\]: Failed password for root from 222.186.190.17 port 36240 ssh2\

2020-02-06T19:57:41.432108abusebot-5.cloudsearch.cf sshd[4874]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.169.192  user=root
2020-02-06T19:57:43.085470abusebot-5.cloudsearch.cf sshd[4874]: Failed password for root from 222.186.169.192 port 4084 ssh2
2020-02-06T19:57:46.090134abusebot-5.cloudsearch.cf sshd[4874]: Failed password for root from 222.186.169.192 port 4084 ssh2
2020-02-06T19:57:41.432108abusebot-5.cloudsearch.cf sshd[4874]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.169.192  user=root
2020-02-06T19:57:43.085470abusebot-5.cloudsearch.cf sshd[4874]: Failed password for root from 222.186.169.192 port 4084 ssh2
2020-02-06T19:57:46.090134abusebot-5.cloudsearch.cf sshd[4874]: Failed password for root from 222.186.169.192 port 4084 ssh2
2020-02-06T19:57:41.432108abusebot-5.cloudsearch.cf sshd[4874]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh rus
...

MultiHost/MultiPort Probe, Scan, Hack -

2020-02-06T13:42:00.0186151495-001 sshd[57113]: Invalid user uhw from 148.70.113.96 port 53794
2020-02-06T13:42:00.0254771495-001 sshd[57113]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=148.70.113.96
2020-02-06T13:42:00.0186151495-001 sshd[57113]: Invalid user uhw from 148.70.113.96 port 53794
2020-02-06T13:42:02.2813101495-001 sshd[57113]: Failed password for invalid user uhw from 148.70.113.96 port 53794 ssh2
2020-02-06T13:44:49.1296631495-001 sshd[57207]: Invalid user lpe from 148.70.113.96 port 44942
2020-02-06T13:44:49.1374951495-001 sshd[57207]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=148.70.113.96
2020-02-06T13:44:49.1296631495-001 sshd[57207]: Invalid user lpe from 148.70.113.96 port 44942
2020-02-06T13:44:51.5943561495-001 sshd[57207]: Failed password for invalid user lpe from 148.70.113.96 port 44942 ssh2
2020-02-06T13:47:23.3752421495-001 sshd[57386]: Invalid user sro from 148.70.113
...

frenzy

" "

$f2bV_matches

2020-02-06T12:57:44.272290-07:00 suse-nuc sshd[24853]: Invalid user kp from 182.61.176.220 port 33590
...

Fail2Ban Ban Triggered

Automatic report - SSH Brute-Force Attack