I just received this email:

The remote system admin was found to have exceeded acceptable login failures on server.impulsehost.net. As such the attacking host has been banned from further accessing this system; for the integrity of your host you should investigate this event as soon as possible.

The following are event logs for exceeded login failures from admin (all time stamps are GMT -0500):
----
- Executed actions:
/etc/apf/apf -d admin

- Log events from /var/log/secure:
Jul 18 12:47:43 server sshd[30977]: Illegal user admin from 212.65.244.2
Jul 18 12:47:43 server sshd[30976]: Illegal user admin from 212.65.244.2
Jul 18 12:47:43 server sshd[30979]: Illegal user admin from 212.65.244.2
Jul 18 12:47:43 server sshd[30978]: Illegal user admin from 212.65.244.2
Jul 18 12:47:43 server sshd[30980]: Illegal user admin from 212.65.244.2
Jul 18 12:47:45 server sshd[30977]: Failed password for illegal user admin from 212.65.244.2 port 48212 ssh2
Jul 18 12:47:46 server sshd[30976]: Failed password for illegal user admin from 212.65.244.2 port 48211 ssh2
Jul 18 12:47:46 server sshd[30979]: Failed password for illegal user admin from 212.65.244.2 port 48215 ssh2
Jul 18 12:47:46 server sshd[30978]: Failed password for illegal user admin from 212.65.244.2 port 48214 ssh2
Jul 18 12:47:46 server sshd[30980]: Failed password for illegal user admin from 212.65.244.2 port 48218 ssh2
Jul 18 12:47:47 server sshd[30989]: Illegal user admin from 212.65.244.2
Jul 18 12:47:47 server sshd[30990]: Illegal user admin from 212.65.244.2
Jul 18 12:47:47 server sshd[30991]: Illegal user admin from 212.65.244.2
Jul 18 12:47:47 server sshd[30988]: Illegal user admin from 212.65.244.2
Jul 18 12:47:47 server sshd[30992]: Illegal user admin from 212.65.244.2
Jul 18 12:47:49 server sshd[30989]: Failed password for illegal user admin from 212.65.244.2 port 48364 ssh2
Jul 18 12:47:49 server sshd[30990]: Failed password for illegal user admin from 212.65.244.2 port 48369 ssh2
Jul 18 12:47:49 server sshd[30991]: Failed password for illegal user admin from 212.65.244.2 port 48368 ssh2
Jul 18 12:47:49 server sshd[30988]: Failed password for illegal user admin from 212.65.244.2 port 48363 ssh2
Jul 18 12:47:49 server sshd[30992]: Failed password for illegal user admin from 212.65.244.2 port 48373 ssh2
----

What further action should i take??

And what does it mean?

The software didn't correctly identify the IP string it seems. Try running this in shell

/etc/apf/apf -d 212.65.244.2

This isnt my IP, im just wondering, is it a hacker?

From the looks of the logs, yes. It does seems to be so. If nothing that someone is attempting although he hasn't been successful yet

Firewall off his I.P address
Email his ISP ( although this probably won't do much ) with date,time,ip,log.
He appears to be coming from Prague, possibly using a 'hacked' server.

Also, make sure your admin password is a strong one :)

Chances are it was just a bot scanning your range and he will never return, but it could be someone targetting you.

It looks to be a fairly 'newbish' attack, but it might be a good idea to increase security.
Maybe, also, scan your server with Root Kit Hunter (http://freshmeat.net/redir/rkhunter/46074/url_tgz/rkhunter-1.1.2.tar.gz) incase this cracker did get it.

I have chkrootkit installed.

I found out who it was, it is someone who thinks they are ' a king '

I think he is using a proxy server, how can i find out his true IP, and report him to his ISP, i want to take full action against him.

Email the ISP of the I.P address attacking you,
but i'm afraid that it won't be likely atall that anything will happen to him. ISPs rarely take any interest unless a minimum of a few thousand dollars worth of damage is done..sorry :|

I got the same guy hacking me:

The following are event logs for exceeded login failures from test (all time stamps are GMT -0700):
----
- Executed actions:
/etc/apf/apf -d test

- Log events from /var/log/secure:
Jul 18 10:55:25 hosting sshd[29973]: Illegal user test from 212.65.244.2
Jul 18 10:55:25 hosting sshd[29974]: Illegal user test from 212.65.244.2
Jul 18 10:55:25 hosting sshd[29977]: Illegal user test from 212.65.244.2
Jul 18 10:55:28 hosting sshd[29973]: Failed password for illegal user test from 212.65.244.2 port 34564 ssh2
Jul 18 10:55:28 hosting sshd[29974]: Failed password for illegal user test from 212.65.244.2 port 34572 ssh2
Jul 18 10:55:28 hosting sshd[29977]: Failed password for illegal user test from 212.65.244.2 port 34575 ssh2
Jul 18 10:55:54 hosting sshd[30021]: Illegal user test from 212.65.244.2
Jul 18 10:55:55 hosting sshd[30023]: Illegal user test from 212.65.244.2
Jul 18 10:55:55 hosting sshd[30024]: Illegal user test from 212.65.244.2
Jul 18 10:55:56 hosting sshd[30021]: Failed password for illegal user test from 212.65.244.2 port 35666 ssh2
Jul 18 10:55:57 hosting sshd[30023]: Failed password for illegal user test from 212.65.244.2 port 35741 ssh2
Jul 18 10:55:57 hosting sshd[30024]: Failed password for illegal user test from 212.65.244.2 port 35745 ssh2

if i were you i would just block '212.65.244.2'

Already added the IP to the /etc/hosts.deny
and the BFD in APF blocked his IP already.
But that won't stop him from trying from another server.

Where abouts do i add him in hosts.deny?

Originally posted by JakeImpulse
Where abouts do i add him in hosts.deny?

edit your /etc/hosts.deny file
and add the following:

ALL: 212.65.244.2

Ok, i have added him, What is your server IP? Maybe hge was just going through random ips.

I had something like that happen last night. Some guy was scanning a huge range of ips and was caught by two of my servers that are very far apart in terms of ips. Probably never see the ip again but might as well block it.

Originally posted by JakeImpulse
Ok, i have added him, What is your server IP? Maybe hge was just going through random ips.

My IP is like yours, 67.18.xx.xx which is at The Planet.
So, he was going through the IP range.

I have the exact same person doing it to me. I just got my server and haven't told only but a couple people about it. Curious..

IP: 67.18.***.*** from ServerMatrix (ThePlanet)

Google says that the I.P address is the server of this company:
http://www.weby.cz/
Someone fancy sending them an email ?

I can see them laughing when we send them the e-mail. It would be easier for them to delete the e-mail then to reply.

It's possible though that it's a hacked server,
if so they may be interested and grateful to find out that one of their servers has been hacked.
I would email them but am in no position to as i haven't actually had any attacks from the I.P :)

Yep, 4 of my servers are in the planet, but i dont have emaila ccess to some of them, ill check the logs on them

Yeah one of my servers is in that range. I got those emails this morning from the same ip address. It is defintely a hacked box. There is no use in sending emails to the people who own the hacked box because they will probably do nothing about it.

The attempts were unsuccessful. All but one username scanned actually existed on the server.

My server, 67.18.145.58, was also tried by this guy... just blocked him using IPtables.

- Matt