An attempt to brute-force account passwords over SSH/FTP by a machine in your domain or in your network has been detected. Attached are the host who attacks and time / date of activity. Please take the necessary action(s) to stop this activity immediately. If you have any questions please reply to this email.
Host of attacker:
Attacked hosts in our Network: 178.250.12.90, 37.228.154.22, 77.75.253.130, 37.228.158.104, 37.228.155.68, 178.250.14.174, 37.228.155.106, 37.228.156.4, 85.158.183.88, 185.39.221.220, 178.250.10.64, 77.75.253.15, 77.75.251.129, 77.75.249.89, 178.250.10.178, 37.228.158.94, 37.228.158.22, 185.39.221.127, 37.228.156.146, 77.75.250.150, 185.39.220.25, 85.158.183.180, 77.75.250.9, 85.158.183.145, 185.39.221.176, 37.228.159.239, 85.158.183.159, 77.75.249.136, 185.39.221.178, 194.34.225.51, 85.158.181.190, 178.250.14.192, 185.39.221.118, 77.75.251.49, 77.75.249.168, 37.228.154.126, 37.228.156.103, 178.250.15.202, 77.75.251.112, 178.250.14.80, 85.158.182.45, 185.39.220.67, 37.228.156.205, 37.228.155.191, 85.158.176.53, 178.250.9.61, 77.75.252.80
Logfile entries (time is CE(S)T):
Tue Nov 29 18:10:22 2022: user: ubuntu service: ssh target: 37.228.156.205 source: myip
Tue Nov 29 18:09:37 2022: user: ubuntu service: ssh target: 85.158.183.145 source: myip
Tue Nov 29 17:57:41 2022: user: oracle service: ssh target: 37.228.155.106 source: myip
Tue Nov 29 17:57:10 2022: user: oracle service: ssh target: 77.75.253.130 source: myip
Tue Nov 29 17:55:41 2022: user: developer service: ssh target: 37.228.155.106 source: myip
Tue Nov 29 17:55:10 2022: user: developer service: ssh target: 77.75.253.130 source: myip
Tue Nov 29 17:53:31 2022: user: admin service: ssh target: 37.228.155.106 source: myip
Tue Nov 29 17:53:10 2022: user: admin service: ssh target: 77.75.253.130 source: myip
Tue Nov 29 17:51:41 2022: user: ubuntu2 service: ssh target: 37.228.155.106 source: myip
Tue Nov 29 17:51:10 2022: user: ubuntu2 service: ssh target: 77.75.253.130 source: myip
Tue Nov 29 17:49:41 2022: user: git service: ssh target: 37.228.155.106 source: myip
Tue Nov 29 17:49:10 2022: user: git service: ssh target: 77.75.253.130 source: myip
Tue Nov 29 17:47:41 2022: user: jenkins service: ssh target: 37.228.155.106 source: myip
Tue Nov 29 17:47:10 2022: user: jenkins service: ssh target: 77.75.253.130 source: myip
Tue Nov 29 17:45:41 2022: user: clouduser service: ssh target: 37.228.155.106 source: myip
Tue Nov 29 17:45:10 2022: user: clouduser service: ssh target: 77.75.253.130 source: myip
Tue Nov 29 17:43:21 2022: user: test service: ssh target: 37.228.155.106 source: myip
Tue Nov 29 17:42:50 2022: user: test service: ssh target: 77.75.253.130 source: myip
Tue Nov 29 17:41:21 2022: user: ubuntu service: ssh target: 37.228.155.106 source: myip
Как я могу узнать откуда и куда идут атаки? И могу ли я как - то это предотвратить, путем блокировки исходящего трафика
tcp 0 0 your_ip:46324 remote_ip:22 ESTABLISHED 12690/ssh
tcp 0 0 your_ip:46324 remote_ip:22 ESTABLISHED 12690/php
tcp 0 0 your_ip:46224 remote_ip:22 ESTABLISHED 12692/php