[ThuAug2005:53:49.4899762020][:error][pid10867:tid47414988408576][client2001:1be0:1000:169:800f:5661:aefa:2574:58261][client2001:1be0:1000:169:800f:5661:aefa:2574]ModSecurity:Accessdeniedwithcode403\(phase2\).Patternmatch"\(\?:mo\(\?:rfeusfuckingscanner\|siac1\)\|internet\(\?:-exprorer\|ninja\)\|s\\\\\\\\.t\\\\\\\\.a\\\\\\\\.l\\\\\\\\.k\\\\\\\\.e\\\\\\\\.r\\\\\\\\.\|kenjinspider\|neuralbot/\|obot\|shell_exec\|if\\\\\\\\\(\|r00t\|intelium\|cybeye\|\\\\\\\\bcaptch\|\^apitool\$\)"atREQUEST_HEADERS:User-Agent.[file"/etc/apache2/conf.d/modsec_rules/20_asl_useragents.conf"][line"303"][id"330082"][rev"4"][msg"Atomicorp.comWAFRules:KnownExploitUserAgent"][severity"CRITICAL"][hostname"mg-directory.com"][uri"/"][unique_id"Xz3zzWLkIL@x-h1G8cgjCAAAAMU"][ThuAug2005:53:50.8426512020][:error][pid10930:tid47414980003584][client2001:1be0:1000:169:800f:5661:aefa:2574:58264][client2001:1be0:1000:169:800f:5661:aefa:2574]ModSecurity:Accessdeniedwithcode403\(phase2\).Patternmatch"\(\?:mo\(\?:rfeusfuckingscanne

Apr  5 23:37:22 mout sshd[21562]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.137.85.215  user=pi
Apr  5 23:37:24 mout sshd[21562]: Failed password for pi from 188.137.85.215 port 41518 ssh2
Apr  5 23:37:25 mout sshd[21562]: Connection closed by 188.137.85.215 port 41518 [preauth]

Apr  5 23:05:12 cloud sshd[18349]: Failed password for root from 63.41.9.207 port 33760 ssh2

Apr  6 00:52:18 vmd48417 sshd[15487]: Failed password for root from 82.118.236.186 port 50452 ssh2

bruteforce detected

Apr  6 00:17:05 srv01 sshd[10623]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.76.152.32  user=root
Apr  6 00:17:07 srv01 sshd[10623]: Failed password for root from 180.76.152.32 port 56044 ssh2
Apr  6 00:20:32 srv01 sshd[10938]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.76.152.32  user=root
Apr  6 00:20:34 srv01 sshd[10938]: Failed password for root from 180.76.152.32 port 44304 ssh2
Apr  6 00:23:31 srv01 sshd[11081]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.76.152.32  user=root
Apr  6 00:23:33 srv01 sshd[11081]: Failed password for root from 180.76.152.32 port 60796 ssh2
...

$f2bV_matches

SSH authentication failure x 6 reported by Fail2Ban
...

Apr  6 02:24:18 vps sshd[548349]: Failed password for root from 112.85.42.180 port 62918 ssh2
Apr  6 02:24:22 vps sshd[548349]: Failed password for root from 112.85.42.180 port 62918 ssh2
Apr  6 02:24:25 vps sshd[548349]: Failed password for root from 112.85.42.180 port 62918 ssh2
Apr  6 02:24:29 vps sshd[548349]: Failed password for root from 112.85.42.180 port 62918 ssh2
Apr  6 02:24:33 vps sshd[548349]: Failed password for root from 112.85.42.180 port 62918 ssh2
...

Apr  6 00:37:03 ift sshd\[53617\]: Failed password for root from 189.199.252.187 port 46671 ssh2Apr  6 00:37:08 ift sshd\[53619\]: Failed password for root from 189.199.252.187 port 47254 ssh2Apr  6 00:37:10 ift sshd\[53623\]: Invalid user ubuntu from 189.199.252.187Apr  6 00:37:13 ift sshd\[53623\]: Failed password for invalid user ubuntu from 189.199.252.187 port 47871 ssh2Apr  6 00:37:18 ift sshd\[53625\]: Failed password for root from 189.199.252.187 port 48368 ssh2
...

SSH authentication failure x 6 reported by Fail2Ban
...

SSH Brute-Forcing (server2)

Apr  5 23:25:17 vps sshd[21272]: Failed password for root from 117.173.67.119 port 3229 ssh2
Apr  5 23:33:51 vps sshd[21677]: Failed password for root from 117.173.67.119 port 3230 ssh2
...

Apr  5 20:43:01 ws12vmsma01 sshd[49714]: Failed password for root from 51.38.37.89 port 43448 ssh2
Apr  5 20:46:45 ws12vmsma01 sshd[50321]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gg-int.org  user=root
Apr  5 20:46:48 ws12vmsma01 sshd[50321]: Failed password for root from 51.38.37.89 port 55032 ssh2
...

(imapd) Failed IMAP login from 212.142.226.93 (ES/Spain/93.212-142-226.static.clientes.euskaltel.es): 1 in the last 3600 secs; Ports: *; Direction: inout; Trigger: LF_TRIGGER; Logs: Apr  6 02:06:46 ir1 dovecot[566034]: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=212.142.226.93, lip=5.63.12.44, TLS: Connection closed, session=

Apr  5 13:27:51 fwservlet sshd[28703]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.197.220.149  user=r.r
Apr  5 13:27:53 fwservlet sshd[28703]: Failed password for r.r from 104.197.220.149 port 41432 ssh2
Apr  5 13:27:53 fwservlet sshd[28703]: Received disconnect from 104.197.220.149 port 41432:11: Bye Bye [preauth]
Apr  5 13:27:53 fwservlet sshd[28703]: Disconnected from 104.197.220.149 port 41432 [preauth]
Apr  5 13:40:35 fwservlet sshd[29077]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.197.220.149  user=r.r
Apr  5 13:40:37 fwservlet sshd[29077]: Failed password for r.r from 104.197.220.149 port 60074 ssh2
Apr  5 13:40:37 fwservlet sshd[29077]: Received disconnect from 104.197.220.149 port 60074:11: Bye Bye [preauth]
Apr  5 13:40:37 fwservlet sshd[29077]: Disconnected from 104.197.220.149 port 60074 [preauth]
Apr  5 13:44:07 fwservlet sshd[29183]: pam_unix(sshd:auth): auth........
-------------------------------