Apr 142014
 

I just checked my email, and see this:

Return-Path: < …>
X-Original-To: …
Delivered-To: …
Received: by atomos.longlandclan.yi.org (Postfix, from userid 0)
	id 67204200E27C; Sun, 13 Apr 2014 23:05:55 +1000 (EST)
Subject: [Fail2Ban] SSH: banned 138.91.144.167 from atomos
Date: Sun, 13 Apr 2014 13:05:55 +0000
From: Fail2Ban < …>
To: …
Message-Id: <20140413130556.67204200E27C@atomos.longlandclan.yi.org>

Hi,

The IP 138.91.144.167 has just been banned by Fail2Ban after
5 attempts against SSH.


Here is more information about 138.91.144.167:


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=138.91.144.167?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       138.91.0.0 - 138.91.255.255
CIDR:           138.91.0.0/16
OriginAS:       
NetName:        MICROSOFT
NetHandle:      NET-138-91-0-0-1
Parent:         NET-138-0-0-0-0
NetType:        Direct Assignment
RegDate:        2011-06-22
Updated:        2013-08-20
Ref:            http://whois.arin.net/rest/net/NET-138-91-0-0-1


OrgName:        Microsoft Corp
OrgId:          MSFT-Z
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        2011-06-22
Updated:        2013-10-03
Comment:        To report suspected security issues specific to 
Comment:        traffic emanating from Microsoft online services, 
Comment:        including the distribution of malicious content 
Comment:        or other illicit or illegal material through a 
Comment:        Microsoft online service, please submit reports 
Comment:        to:
Comment:        * https://cert.microsoft.com.  
Comment:        
Comment:        For SPAM and other abuse issues, such as Microsoft 
Comment:        Accounts, please contact:
Comment:        * abuse@microsoft.com.  
Comment:        
Comment:        To report security vulnerabilities in Microsoft 
Comment:        products and services, please contact:
Comment:        * secure@microsoft.com.  
Comment:        
Comment:        For legal and law enforcement-related requests, 
Comment:        please contact:
Comment:        * msndcc@microsoft.com
Comment:        
Comment:        For routing, peering or DNS issues, please 
Comment:        contact:
Comment:        * IOC@microsoft.com
Ref:            http://whois.arin.net/rest/org/MSFT-Z

OrgTechHandle: MRPD-ARIN
OrgTechName:   Microsoft Routing, Peering, and DNS
OrgTechPhone:  +1-425-882-8080 
OrgTechEmail:  IOC@microsoft.com
OrgTechRef:    http://whois.arin.net/rest/poc/MRPD-ARIN

OrgAbuseHandle: MAC74-ARIN
OrgAbuseName:   Microsoft Abuse Contact
OrgAbusePhone:  +1-425-882-8080 
OrgAbuseEmail:  abuse@microsoft.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/MAC74-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

Regards,

Fail2Ban
atomos ~ # grep 138.91.144.167 /var/log/auth.log ; zgrep 138.91.144.167 /var/log/auth.log-20140*.gz
Apr 13 23:05:40 atomos sshd[3143]: Did not receive identification string from 138.91.144.167
Apr 13 23:05:40 atomos sshd[3144]: SSH: Server;Ltype: Version;Remote: 138.91.144.167-1025;Protocol: 2.0;Client: JSCH-0.1.51
Apr 13 23:05:41 atomos sshd[3144]: SSH: Server;Ltype: Kex;Remote: 138.91.144.167-1025;Enc: aes128-ctr;MAC: hmac-md5;Comp: none [preauth]
Apr 13 23:05:41 atomos sshd[3144]: SSH: Server;Ltype: Authname;Remote: 138.91.144.167-1025;Name: support [preauth]
Apr 13 23:05:48 atomos sshd[3144]: Invalid user support from 138.91.144.167
Apr 13 23:05:48 atomos sshd[3144]: Postponed keyboard-interactive for invalid user support from 138.91.144.167 port 1025 ssh2 [preauth]
Apr 13 23:05:49 atomos sshd[3203]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=138.91.144.167 
Apr 13 23:05:51 atomos sshd[3144]: error: PAM: Authentication failure for illegal user support from 138.91.144.167
Apr 13 23:05:51 atomos sshd[3144]: Failed keyboard-interactive/pam for invalid user support from 138.91.144.16  port 1025 ssh2
Apr 13 23:05:51 atomos sshd[3144]: Postponed keyboard-interactive for invalid user support from 138.91.144.167 port 1025 ssh2 [preauth]
Apr 13 23:05:51 atomos sshd[3236]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=138.91.144.167 
Apr 13 23:05:54 atomos sshd[3144]: error: PAM: Authentication failure for illegal user support from 138.91.144.167
Apr 13 23:05:54 atomos sshd[3144]: Failed keyboard-interactive/pam for invalid user support from 138.91.144.16  port 1025 ssh2
Apr 13 23:05:54 atomos sshd[3144]: Received disconnect from 138.91.144.167: 3: com.jcraft.jsch.JSchException: Auth cancel [preauth]

Seriously, some dodgy ISP in Russia or Asia having a crack, I’ll ignore it. But a big company like you? I expect better behaviour.

  3 Responses to “WTF are you doing, Microsoft?”

  1. Whois only tells part of the story…

    If you grab this wad of XML and sift around, you’ll find..

    … IpRange Subnet=”138.91.144.0/20″ …

    I’m hopeless with doing CIDR math, but I bet your address fits in that space. It’s probably not Microsoft, it’s more likely an Azure customer.

    • Probably… I also observed another IP of theirs snooping around gitweb (which I don’t mind: if I did I wouldn’t have it public).

      Many ISPs provide a reverse DNS that would differentiate between customer and corporate network. The way they’ve got it at the moment it’s hard to tell without digging through XML.