xmlrpc attack

$f2bV_matches

Received: from mail.quotesproducts.com (144.172.84.62) From: "Liberty Mutual Auto" 

Honeypot attack, port: 445, PTR: PTR record not found

Bruteforce detected by fail2ban

Apr 30 14:28:09 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=37.185.26.226, lip=172.104.140.148, TLS, session=<5YFvMoGkEgwluRri>
Apr 30 14:28:15 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=37.185.26.226, lip=172.104.140.148, TLS, session=<7ZyUMoGkGAwluRri>
Apr 30 14:28:15 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=37.185.26.226, lip=172.104.140.148, TLS, session=<4x+UMoGkFwwluRri>
Apr 30 14:28:26 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=37.185.26.226, lip=172.104.140.148, TLS, session=<8lEzM4GkNgwluRri>
Apr 30 14:28:27 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=37.185.26.226, lip=172.104.140.148, TLS, session=

Honeypot attack, port: 445, PTR: 128-69-101-36.broadband.corbina.ru.

$f2bV_matches | Triggered by Fail2Ban at Vostok web server

Apr 30 14:28:12 plex sshd[13856]: Invalid user ali from 159.65.8.65 port 47564

MultiHost/MultiPort Probe, Scan, Hack -

Apr 30 05:43:32 mockhub sshd[6845]: Failed password for root from 178.128.88.244 port 37214 ssh2
...

[portscan] Port scan

Microsoft Mail Internet Headers Version 2.0
Received: from smtp08.amf-envoi.fr ([222.218.17.199]) by xxx with Microsoft SMTPSVC(6.0.3790.1830);
	 Thu, 30 Apr 2020 14:22:52 +0200
Return-Path: 
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	s=neolane;
	d=mail.mutualfirst.com;
	h=domainkey-signature:from:date:subject:to:reply-to:mime-version:x-mailer:message-id:x-250ok-cid:tenantheader:affinity:x-cust_messageid:x-cust_deliveryid:x-cust_instancename:messagemaxretry:messageretryperiod:messagewebvalidityduration:messagevalidityduration:x-cust_imsorgid:content-type;
	bh=Y2nHG3SSivsVKyFi1AdrfHePKyWz2fqvBGFuc2cweq8=;
	b=aVduqy418SlsI4o/vhualJyUhA7Y0A8cWL+XhUectdkQ7LOtB8KwdDGd3b3x1LcdRnGRN4mtrQGJipZNxbACqjxxq4U1ZWw0cOyxIQvtRmTC9LqD9XVxkYpyei7+5LU7ArDh3cb1zC59xTF20IYDAAsKIbYXgX37j24DNz0/Vi0=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns;
	s=neolane;
	d=mail.mutualfirst.com;
	h=From:Date:Subject:To:Reply-To:MIME-Version:X-mailer:Message-ID:X-250ok-CID:TenantHeader:Af

Apr 30 14:44:56 electroncash sshd[12907]: Invalid user tk from 142.93.53.214 port 44666
Apr 30 14:44:56 electroncash sshd[12907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=142.93.53.214 
Apr 30 14:44:56 electroncash sshd[12907]: Invalid user tk from 142.93.53.214 port 44666
Apr 30 14:44:58 electroncash sshd[12907]: Failed password for invalid user tk from 142.93.53.214 port 44666 ssh2
Apr 30 14:49:21 electroncash sshd[14026]: Invalid user test from 142.93.53.214 port 51814
...

SSH brute-force: detected 8 distinct usernames within a 24-hour window.

Apr 30 15:19:20 ift sshd\[13456\]: Failed password for root from 119.29.180.179 port 52248 ssh2Apr 30 15:23:44 ift sshd\[13910\]: Invalid user cunningham from 119.29.180.179Apr 30 15:23:45 ift sshd\[13910\]: Failed password for invalid user cunningham from 119.29.180.179 port 42204 ssh2Apr 30 15:28:08 ift sshd\[14814\]: Invalid user gq from 119.29.180.179Apr 30 15:28:10 ift sshd\[14814\]: Failed password for invalid user gq from 119.29.180.179 port 60460 ssh2
...