Web Hosting Talk : Web Hosting Main Forums : VPS Hosting : New Server Black List Check

[BryanB55]

I setup a new server with KnownHost last night. This morning I received an email indicating 5 failed login attempts via SMTP from China. This has me a bit worried since the server was only set up last night and already it looks like someone is trying to hack it. Is this something I should be concerned about.

Second issue... I ran a blacklist check on the ip adress they gave me at blacklistalert.org and everything came back ok except it said the IP is listed in this database: apews.org database.

Is this also something I should be concerned about? I'm not sure what that means or why it is listed there.

Thanks

[BryanB55]

ooops 204.197.244.123 is currently listed in APEWS :-(
Entry matching your Query: E-392916
204.197.128.0/17
CASE: C-131
Unallocated CIDR, no traffic until allocated,
or allocated to bad reputation provider
or allocated but dynamic / generically named IPs,
or bogons, see cidr-report.org,
or orphaned IP / CIDR in routing table
Special Reason:
Bogons, see cidr-report.org
History:
Entry created 2010-03-07

[tempsalehosting]

Hello,

That means that your IP might be blacklisted and you might have problems sending emails ( bounce backs due to blacklisting ). You can always request a delist of the IP.

As about SMTP failed logins, thats pretty much normal, just people bruteforcing.

[BryanB55]

Quote:

Originally Posted by tempsalehosting

Hello,

That means that your IP might be blacklisted and you might have problems sending emails ( bounce backs due to blacklisting ). You can always request a delist of the IP.

As about SMTP failed logins, thats pretty much normal, just people bruteforcing.

Thanks. I'm seeing some other places online that say dont worry about the blacklisting unless you are having trouble sending emails.

I feel like I shouldn't have to go through the hassle of trying to get this blacklist removed... I just bought the server last night. I haven't even used it and the gave me a blacklisted IP address..

[tempsalehosting]

Hello,

The blacklist might be from previous uses. The IP removal usually takes seconds.

[Spluut]

This kind of stuff is very normal, here is some logs off one VPS I had for just a few days..

Code:

58.100.230.30 # lfd: (sshd) Failed SSH login from 58.100.230.30 (CN/China/-): 10 in the last 300 secs - Fri Mar 16 23:07:38 2012
202.96.199.150 # lfd: (sshd) Failed SSH login from 202.96.199.150 (CN/China/-): 10 in the last 300 secs - Sat Mar 17 03:04:59 2012
218.26.171.20 # lfd: (sshd) Failed SSH login from 218.26.171.20 (CN/China/20.171.26.218.internet.sx.cn): 10 in the last 300 secs - Sat Mar 17 07:37:36 2012
218.108.85.250 # lfd: (sshd) Failed SSH login from 218.108.85.250 (CN/China/-): 10 in the last 300 secs - Sat Mar 17 08:54:05 2012
61.38.186.131 # lfd: (sshd) Failed SSH login from 61.38.186.131 (KR/Korea, Republic of/-): 10 in the last 300 secs - Sat Mar 17 10:03:56 2012
64.79.81.66 # lfd: (sshd) Failed SSH login from 64.79.81.66 (US/United States/42.51.4f.static.xlhost.com): 10 in the last 300 secs - Sat Mar 17 19:09:51 2012
182.236.164.11 # lfd: (sshd) Failed SSH login from 182.236.164.11 (CN/China/-): 10 in the last 300 secs - Sun Mar 18 01:26:07 2012
61.167.199.239 # lfd: (sshd) Failed SSH login from 61.167.199.239 (CN/China/-): 10 in the last 300 secs - Sun Mar 18 02:28:49 2012
80.91.181.43 # lfd: (sshd) Failed SSH login from 80.91.181.43 (UA/Ukraine/-): 10 in the last 300 secs - Sun Mar 18 03:50:46 2012
188.138.86.80 # lfd: (sshd) Failed SSH login from 188.138.86.80 (DE/Germany/loft7189.serverloft.eu): 10 in the last 300 secs - Sun Mar 18 10:52:15 2012

[tempsalehosting]

That's SSH bruteforcing, not SMTP :p

[BryanB55]

Ok... and I sent an email to Known Host about the login attempts and this is what they tell me:

Hello Bryan,

Please open a ticket with our support team and they will assist you with this. Please note that abuse department is not intended for technical support and not monitored 24/7. I'm going to close this abuse ticket now.

Thanks,
Helen
KnownHost abuse


They cant just transfer the ticket to another department, I have to write everything all over again. This is not starting out as a good experience. Maybe I should just stick with HostGator.

[Spluut]

Quote:

Originally Posted by tempsalehosting

That's SSH bruteforcing, not SMTP :p

Clearly.

[tempsalehosting]

BryanB55 - That has nothing to do with Knownhost (unless you are fully managed ), just enable/install some firewalling or bruteforcing software.

[rds100]

Don't worry about the apews database listing - nobody with their right mind would use apews anyway.

[Deroba]

You are fine, lfd is working fine, that's why you get the bruteforce attacks blocking e-mails.

You are good, as long as you are not on spamcop or barracuda or something "important" no need to worry.

[tempsalehosting]

Use mxtoolbox.com to check the most important blacklistings rbls.

[KnownHost-P]

BryanB55,

Quote:

This has me a bit worried since the server was only set up last night and already it looks like someone is trying to hack it.

This is something that is pretty much "normal" these days for any system that is exposed to the public internet - there are thousands of bots that scan whole IP range and attempt to brute force everything that has active services on public IPs. It doesn't matter where you go, what kind of service you have you'll be brute-forced no matter what. This is the reason why there are various tools that were designed to detect and block brute force attacks.

Quote:

Is this something I should be concerned about.

No, not really as this is part of the game. It is about the same as being concerned about exposure to sun light if you'd like to walk outside on a sunny day.

Quote:

Second issue... I ran a blacklist check on the ip adress they gave me at blacklistalert.org and everything came back ok except it said the IP is listed in this database: apews.org database.

APEWS is a dead project that is not maintained for quite some time and I would be surprised if anyone is still using them to block anything (including email) based on their listings.

This:

Quote:

Entry matching your Query: E-392916
204.197.128.0/17
CASE: C-131
Unallocated CIDR, no traffic until allocated,

Is a good confirmation to my words above. 204.197.128.0/17 block _is_ allocated (or you won't be able to have a publicly routed IP from this block) and the only reason why you're seeing this entry there is because project is dead and their records are not maintained.

Quote:

They cant just transfer the ticket to another department, I have to write everything all over again.

My apologizes for the possible inconvenience but tickets from the Abuse department are, indeed, cannot moved to any other queue. And, unfortunately, your questions cannot be handled by the non-technical people who handles incoming abuse reports. You don't have to write everything again, you can just reference your previous ticket # while opening a new ticket with the correct department.



When it comes to WHT I'm always quite surprised how some people jump into conclusions without knowing real facts behind something or not even reading the information that was already provided...

Quote:

That means that your IP might be blacklisted and you might have problems sending emails ( bounce backs due to blacklisting ). You can always request a delist of the IP.

As per the second post in this very thread this is not about IP being blacklisted, this about whole /17 block being listed as "unallocated". I was wondering if you ever tried to "request a delist of the IP" from the "unallocated" block listing with APEWS?

Quote:

The blacklist might be from previous uses. The IP removal usually takes seconds.

What previous issues? The only "issue" here is what at some point of time in the past this IP block was not allocated to anyone like every single IP/IP block in the IP v4 address space in the past.

Quote:

BryanB55 - That has nothing to do with Knownhost (unless you are fully managed ), just enable/install some firewalling or bruteforcing software.

BryanB55 signed for a fully managed service however it doesn't really matter if service is managed or not - this is not what triggers or stops brute force attempts. Brute force detections was already enabled on customer's system upon provisioning and this is exactly why BryanB55 was notified about incoming brute force attempt which was automatically blocked.


Regards,
Paul

[BryanB55]

Quote:

Originally Posted by KnownHost-P

BryanB55,



This is something that is pretty much "normal" these days for any system that is exposed to the public internet - there are thousands of bots that scan whole IP range and attempt to brute force everything that has active services on public IPs. It doesn't matter where you go, what kind of service you have you'll be brute-forced no matter what. This is the reason why there are various tools that were designed to detect and block brute force attacks.



No, not really as this is part of the game. It is about the same as being concerned about exposure to sun light if you'd like to walk outside on a sunny day.



APEWS is a dead project that is not maintained for quite some time and I would be surprised if anyone is still using them to block anything (including email) based on their listings.

This:



Is a good confirmation to my words above. 204.197.128.0/17 block _is_ allocated (or you won't be able to have a publicly routed IP from this block) and the only reason why you're seeing this entry there is because project is dead and their records are not maintained.



My apologizes for the possible inconvenience but tickets from the Abuse department are, indeed, cannot moved to any other queue. And, unfortunately, your questions cannot be handled by the non-technical people who handles incoming abuse reports. You don't have to write everything again, you can just reference your previous ticket # while opening a new ticket with the correct department.



When it comes to WHT I'm always quite surprised how some people jump into conclusions without knowing real facts behind something or not even reading the information that was already provided...



As per the second post in this very thread this is not about IP being blacklisted, this about whole /17 block being listed as "unallocated". I was wondering if you ever tried to "request a delist of the IP" from the "unallocated" block listing with APEWS?




What previous issues? The only "issue" here is what at some point of time in the past this IP block was not allocated to anyone like every single IP/IP block in the IP v4 address space in the past.




BryanB55 signed for a fully managed service however it doesn't really matter if service is managed or not - this is not what triggers or stops brute force attempts. Brute force detections was already enabled on customer's system upon provisioning and this is exactly why BryanB55 was notified about incoming brute force attempt which was automatically blocked.


Regards,
Paul

Thanks Paul. I realized that a few of the responses on here were not accurate after doing some more research... I'll keep moving along with my new setup.