$f2bV_matches

Aug  3 06:48:41 dev0-dcde-rnet sshd[18924]: Failed password for root from 104.223.197.148 port 35252 ssh2
Aug  3 06:54:49 dev0-dcde-rnet sshd[19016]: Failed password for root from 104.223.197.148 port 47838 ssh2

(sshd) Failed SSH login from 104.223.197.148 (US/United States/-): 5 in the last 3600 secs

Oct  5 18:44:12 vps647732 sshd[25478]: Failed password for root from 104.223.197.227 port 50576 ssh2
...

Oct  5 05:10:40 ns382633 sshd\[26631\]: pam_unix\(sshd:auth\): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.223.197.227  user=root
Oct  5 05:10:42 ns382633 sshd\[26631\]: Failed password for root from 104.223.197.227 port 38294 ssh2
Oct  5 05:18:59 ns382633 sshd\[27629\]: pam_unix\(sshd:auth\): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.223.197.227  user=root
Oct  5 05:19:02 ns382633 sshd\[27629\]: Failed password for root from 104.223.197.227 port 58364 ssh2
Oct  5 05:23:31 ns382633 sshd\[28179\]: pam_unix\(sshd:auth\): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.223.197.227  user=root

B: Abusive ssh attack

Invalid user support from 104.223.197.227 port 44980

Sep 11 23:39:01 sshgateway sshd\[2750\]: Invalid user yuly from 104.223.197.227
Sep 11 23:39:01 sshgateway sshd\[2750\]: pam_unix\(sshd:auth\): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.223.197.227
Sep 11 23:39:03 sshgateway sshd\[2750\]: Failed password for invalid user yuly from 104.223.197.227 port 51856 ssh2

Aug 31 09:35:00 marvibiene sshd[14730]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.223.197.227 
Aug 31 09:35:02 marvibiene sshd[14730]: Failed password for invalid user test from 104.223.197.227 port 53838 ssh2

Aug 30 23:47:42 cho sshd[1953353]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.223.197.227 
Aug 30 23:47:42 cho sshd[1953353]: Invalid user pptpd from 104.223.197.227 port 56596
Aug 30 23:47:44 cho sshd[1953353]: Failed password for invalid user pptpd from 104.223.197.227 port 56596 ssh2
Aug 30 23:52:36 cho sshd[1953585]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.223.197.227  user=root
Aug 30 23:52:39 cho sshd[1953585]: Failed password for root from 104.223.197.227 port 36234 ssh2
...

Aug 18 02:26:10 itv-usvr-02 sshd[22811]: Invalid user ubuntu from 104.223.197.227 port 48482
Aug 18 02:26:10 itv-usvr-02 sshd[22811]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.223.197.227
Aug 18 02:26:10 itv-usvr-02 sshd[22811]: Invalid user ubuntu from 104.223.197.227 port 48482
Aug 18 02:26:12 itv-usvr-02 sshd[22811]: Failed password for invalid user ubuntu from 104.223.197.227 port 48482 ssh2
Aug 18 02:35:45 itv-usvr-02 sshd[23145]: Invalid user git from 104.223.197.227 port 45404

Fail2Ban

SSH BruteForce Attack

Aug  9 01:38:42 Ubuntu-1404-trusty-64-minimal sshd\[7312\]: pam_unix\(sshd:auth\): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.223.197.3  user=root
Aug  9 01:38:44 Ubuntu-1404-trusty-64-minimal sshd\[7312\]: Failed password for root from 104.223.197.3 port 48632 ssh2
Aug  9 02:00:19 Ubuntu-1404-trusty-64-minimal sshd\[18878\]: pam_unix\(sshd:auth\): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.223.197.3  user=root
Aug  9 02:00:21 Ubuntu-1404-trusty-64-minimal sshd\[18878\]: Failed password for root from 104.223.197.3 port 43054 ssh2
Aug  9 02:04:07 Ubuntu-1404-trusty-64-minimal sshd\[21658\]: pam_unix\(sshd:auth\): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.223.197.3  user=root

SSH Brute Force

Invalid user zhangshengwei from 104.223.197.240 port 42238

SSH Invalid Login

Jul 30 17:18:49 firewall sshd[22720]: Invalid user filesync from 104.223.197.240
Jul 30 17:18:51 firewall sshd[22720]: Failed password for invalid user filesync from 104.223.197.240 port 40214 ssh2
Jul 30 17:22:51 firewall sshd[22768]: Invalid user magneti from 104.223.197.240
...

The IP has triggered Cloudflare WAF. CF-Ray: 541256fb4bd6eb08 | WAF_Rule_ID: 3b40188685924a32bf11d40edea05a27 | WAF_Kind: firewall | CF_Action: challenge | Country: US | CF_IPClass: noRecord | Protocol: HTTP/2 | Method: GET | Host: api.skk.moe | User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1 | CF_DC: LAX. Report generated by Cloudflare-WAF-to-AbuseIPDB (https://github.com/SukkaW/Cloudflare-WAF-to-AbuseIPDB).

The IP has triggered Cloudflare WAF. CF-Ray: 5414811ce9aa6bd2 | WAF_Rule_ID: 3b40188685924a32bf11d40edea05a27 | WAF_Kind: firewall | CF_Action: challenge | Country: CN | CF_IPClass: noRecord | Protocol: HTTP/1.1 | Method: GET | Host: d.skk.moe | User-Agent: Mozilla/5.0184010163 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 | CF_DC: SJC. Report generated by Cloudflare-WAF-to-AbuseIPDB (https://github.com/SukkaW/Cloudflare-WAF-to-AbuseIPDB).

The IP has triggered Cloudflare WAF. CF-Ray: 5411ae6ebd719292 | WAF_Rule_ID: 3b40188685924a32bf11d40edea05a27 | WAF_Kind: firewall | CF_Action: challenge | Country: CN | CF_IPClass: noRecord | Protocol: HTTP/1.1 | Method: GET | Host: ip.skk.moe | User-Agent: Mozilla/5.082584686 Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 | CF_DC: SJC. Report generated by Cloudflare-WAF-to-AbuseIPDB (https://github.com/SukkaW/Cloudflare-WAF-to-AbuseIPDB).

The IP has triggered Cloudflare WAF. CF-Ray: 5412f4529cb2eb71 | WAF_Rule_ID: 3b40188685924a32bf11d40edea05a27 | WAF_Kind: firewall | CF_Action: challenge | Country: CN | CF_IPClass: noRecord | Protocol: HTTP/1.1 | Method: GET | Host: blog.skk.moe | User-Agent: Mozilla/5.077692140 Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko | CF_DC: LAX. Report generated by Cloudflare-WAF-to-AbuseIPDB (https://github.com/SukkaW/Cloudflare-WAF-to-AbuseIPDB).

The IP has triggered Cloudflare WAF. CF-Ray: 540f925f5d93ed63 | WAF_Rule_ID: 3b40188685924a32bf11d40edea05a27 | WAF_Kind: firewall | CF_Action: challenge | Country: CN | CF_IPClass: noRecord | Protocol: HTTP/1.1 | Method: GET | Host: ip.skk.moe | User-Agent: Mozilla/5.0184010163 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 | CF_DC: SJC. Report generated by Cloudflare-WAF-to-AbuseIPDB (https://github.com/SukkaW/Cloudflare-WAF-to-AbuseIPDB).

The IP has triggered Cloudflare WAF. CF-Ray: 541033b66b8f9971 | WAF_Rule_ID: 3b40188685924a32bf11d40edea05a27 | WAF_Kind: firewall | CF_Action: challenge | Country: CN | CF_IPClass: noRecord | Protocol: HTTP/1.1 | Method: GET | Host: d.skk.moe | User-Agent: Mozilla/5.096783921 Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko | CF_DC: LAX. Report generated by Cloudflare-WAF-to-AbuseIPDB (https://github.com/SukkaW/Cloudflare-WAF-to-AbuseIPDB).

$f2bV_matches

The IP has triggered Cloudflare WAF. CF-Ray: 5411d0b99f56e50e | WAF_Rule_ID: 1112825 | WAF_Kind: firewall | CF_Action: challenge | Country: CN | CF_IPClass: noRecord | Protocol: HTTP/1.1 | Method: GET | Host: disqus.skk.moe | User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Mobile Safari/537.36 | CF_DC: LAX. Report generated by Cloudflare-WAF-to-AbuseIPDB (https://github.com/SukkaW/Cloudflare-WAF-to-AbuseIPDB).

The IP has triggered Cloudflare WAF. CF-Ray: 5412ada8dd0ae7a4 | WAF_Rule_ID: 3b40188685924a32bf11d40edea05a27 | WAF_Kind: firewall | CF_Action: challenge | Country: CN | CF_IPClass: noRecord | Protocol: HTTP/1.1 | Method: GET | Host: blog.skk.moe | User-Agent: Mozilla/5.077692140 Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko | CF_DC: LAX. Report generated by Cloudflare-WAF-to-AbuseIPDB (https://github.com/SukkaW/Cloudflare-WAF-to-AbuseIPDB).

2019-12-07 18:07:59 H=(vps-101390.domain) [185.81.157.17] F= rejected RCPT : relay not permitted
2019-12-07 18:08:02 dovecot_login authenticator failed for (vps-101390.domain) [185.81.157.17]: 535 Incorrect authentication data (set_id=info)
2019-12-07 18:08:09 dovecot_login authenticator failed for (vps-101390.domain) [185.81.157.17]: 535 Incorrect authentication data (set_id=postmaster)
...

The IP has triggered Cloudflare WAF. CF-Ray: 54167215c940eb91 | WAF_Rule_ID: 1112825 | WAF_Kind: firewall | CF_Action: challenge | Country: CN | CF_IPClass: noRecord | Protocol: HTTP/1.1 | Method: GET | Host: img.skk.moe | User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Mobile Safari/537.36 | CF_DC: LAX. Report generated by Cloudflare-WAF-to-AbuseIPDB (https://github.com/SukkaW/Cloudflare-WAF-to-AbuseIPDB).

Dec  6 06:05:43 garuda postfix/smtpd[51473]: warning: hostname net6-ip23.linkbg.com does not resolve to address 87.246.7.23: Name or service not known
Dec  6 06:05:43 garuda postfix/smtpd[51473]: warning: hostname net6-ip23.linkbg.com does not resolve to address 87.246.7.23: Name or service not known
Dec  6 06:05:43 garuda postfix/smtpd[51473]: connect from unknown[87.246.7.23]
Dec  6 06:05:43 garuda postfix/smtpd[51473]: connect from unknown[87.246.7.23]
Dec  6 06:05:43 garuda postfix/smtpd[51473]: warning: unknown[87.246.7.23]: SASL LOGIN authentication failed: generic failure
Dec  6 06:05:43 garuda postfix/smtpd[51473]: warning: unknown[87.246.7.23]: SASL LOGIN authentication failed: generic failure
Dec  6 06:05:43 garuda postfix/smtpd[51473]: lost connection after AUTH from unknown[87.246.7.23]
Dec  6 06:05:43 garuda postfix/smtpd[51473]: lost connection after AUTH from unknown[87.246.7.23]
Dec  6 06:05:43 garuda postfix/smtpd[51473]: disconnect from unknown[87.246.........
-------------------------------

The IP has triggered Cloudflare WAF. CF-Ray: 5411916c7e369358 | WAF_Rule_ID: 1112825 | WAF_Kind: firewall | CF_Action: challenge | Country: CN | CF_IPClass: noRecord | Protocol: HTTP/1.1 | Method: GET | Host: theme-suka.skk.moe | User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Mobile Safari/537.36 | CF_DC: SJC. Report generated by Cloudflare-WAF-to-AbuseIPDB (https://github.com/SukkaW/Cloudflare-WAF-to-AbuseIPDB).

The IP has triggered Cloudflare WAF. CF-Ray: 5415d08bdd2deb08 | WAF_Rule_ID: 3b40188685924a32bf11d40edea05a27 | WAF_Kind: firewall | CF_Action: challenge | Country: CN | CF_IPClass: noRecord | Protocol: HTTP/1.1 | Method: GET | Host: blog.skk.moe | User-Agent: Mozilla/5.084743666 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134 | CF_DC: LAX. Report generated by Cloudflare-WAF-to-AbuseIPDB (https://github.com/SukkaW/Cloudflare-WAF-to-AbuseIPDB).

The IP has triggered Cloudflare WAF. CF-Ray: 54113efc4b48dd02 | WAF_Rule_ID: 3b40188685924a32bf11d40edea05a27 | WAF_Kind: firewall | CF_Action: challenge | Country: HK | CF_IPClass: noRecord | Protocol: HTTP/2 | Method: GET | Host: api.skk.moe | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15 | CF_DC: SIN. Report generated by Cloudflare-WAF-to-AbuseIPDB (https://github.com/SukkaW/Cloudflare-WAF-to-AbuseIPDB).