From owner-freebsd-security@freebsd.org Wed Jul 18 20:22:25 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8151410318A8 for ; Wed, 18 Jul 2018 20:22:25 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.pphosted.com", Issuer "thawte SHA256 SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C22918B51F for ; Wed, 18 Jul 2018 20:22:20 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w6IKEWQw002367; Wed, 18 Jul 2018 13:22:19 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-id : date : message-id; s=PPS1017; bh=Yqg33/lZS09bgpWiLOegI8cdrcyUzBBpGMoc2PQ0Py8=; b=j9/XSlUigOXda/0d4ZErYMkNBjKFMCcryOVHiCqNSogTdwO8HYfGqjxA3PoQ4N5tIXdF dWN8fmYGCyxyqs2leaAEy7TcTRNq+WXo1vgM4sYBnabbFaLPj46Kqw8SKLx+X2E9ByXk TxEBUZB685V+pNVU4RdC+/m/oW1G9FaSR4MfTax1KXiPxsFTQMkLwwXNKyLMtqxGe5Ow gZTr/6ja4QOvecU8PbYj/4aM5kUcHgbLUbVrBpbTmpb7seCzM3uVeLj6PuCIjGdLShBo Hqhy0A0jVOyc8GLAqxxGdWXGb4ZfvGtmfNfn28RccEJtrtcmVkCUYwqIz/q2y6zMS+l4 IQ== Received: from nam04-co1-obe.outbound.protection.outlook.com (mail-co1nam04lp0048.outbound.protection.outlook.com [216.32.181.48]) by mx0a-00273201.pphosted.com with ESMTP id 2kabr6g2cc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 18 Jul 2018 13:22:19 -0700 Received: from SN4PR0501CA0073.namprd05.prod.outlook.com (2603:10b6:803:22::11) by BN3PR0501MB1250.namprd05.prod.outlook.com (2a01:111:e400:4006::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.14; Wed, 18 Jul 2018 20:22:16 +0000 Received: from BY2NAM05FT061.eop-nam05.prod.protection.outlook.com (216.32.181.241) by SN4PR0501CA0073.outlook.office365.com (10.171.32.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.995.9 via Frontend Transport; Wed, 18 Jul 2018 20:22:16 +0000 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.242.12 as permitted sender) Received: from P-EXFEND-EQX-01.jnpr.net (66.129.242.12) by BY2NAM05FT061.mail.protection.outlook.com (10.152.100.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.995.0 via Frontend Transport; Wed, 18 Jul 2018 20:22:16 +0000 Received: from P-EXFEND-EQX-01.jnpr.net (10.104.8.54) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 18 Jul 2018 13:22:11 -0700 Received: from P-EMFE01C-SAC.jnpr.net (172.24.192.43) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Wed, 18 Jul 2018 13:22:11 -0700 Received: from p-mailhub01.juniper.net (10.47.226.20) by P-EMFE01C-SAC.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 18 Jul 2018 13:21:32 -0700 Received: from kaos.jnpr.net (kaos.jnpr.net [172.21.30.60]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id w6IKLWAX006988; Wed, 18 Jul 2018 13:21:32 -0700 (envelope-from sjg@juniper.net) Received: by kaos.jnpr.net (Postfix, from userid 1377) id 2C2D112996; Wed, 18 Jul 2018 13:21:32 -0700 (PDT) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id 2BC3312995; Wed, 18 Jul 2018 13:21:32 -0700 (PDT) To: Patrick Proniewski CC: Grzegorz Junka , , Subject: Re: Possible break-in attempt? In-Reply-To: <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> Comments: In-reply-to: Patrick Proniewski message dated "Wed, 18 Jul 2018 22:13:22 +0200." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <33071.1531945292.1@kaos.jnpr.net> Date: Wed, 18 Jul 2018 13:21:32 -0700 Message-ID: <37044.1531945292@kaos.jnpr.net> X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.242.12; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(376002)(346002)(396003)(136003)(39860400002)(2980300002)(189003)(199004)(26826003)(23726003)(336012)(97736004)(186003)(478600001)(86362001)(97876018)(558084003)(6266002)(229853002)(7696005)(69596002)(6246003)(50466002)(53936002)(107886003)(117636001)(76176011)(46406003)(105596002)(9686003)(4326008)(5660300001)(97756001)(2906002)(486006)(68736007)(356003)(16586007)(476003)(76506005)(53416004)(55016002)(6916009)(7126003)(106466001)(26005)(47776003)(11346002)(316002)(446003)(77096007)(2810700001)(81156014)(3480700004)(54906003)(8936002)(50226002)(81166006)(305945005)(126002)(8676002)(90966002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1250; H:P-EXFEND-EQX-01.jnpr.net; FPR:; SPF:SoftFail; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1; X-Microsoft-Exchange-Diagnostics: 1; BY2NAM05FT061; 1:qTjxBJ4Pmw5CWpT/mWWwuMxIS8BGI6ny0O7EDo4FEB7cRfT0NzKHXPGJID8CProDKHdD6HDPy/K4y8kOqbmT7vGTc3ILs2nVqCYIffqiAHPr52AC529xj0b3xTrQXkvB X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 196d8474-487b-4264-8b60-08d5ecec27a0 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060); SRVR:BN3PR0501MB1250; X-Microsoft-Exchange-Diagnostics: 1; BN3PR0501MB1250; 3:ogoKti+4+jkXS7hXhWj11ENtQ9lYzndbAAPnf7gAEQC/JurbjmpFZET/jKQr1rp7u3EOxIFwVm4CQAB5V073Av8w6nAiNKiH0OrkLdQesWiHts/WSlzum1NhCSwTUDeIYJ9fCnFOluChR053Bmq/8vEFyRMUovv0DhpJJO1HkviVurhchBOGyqk05Fma6NseDcsoy/0D19cNr9KrTsMFgRy9ne40FQ7SP96nwqZFxfWtqWEorXLL3jtXnFYNRoYj/B0U0T8+W7bVh4fHetw4AXLbearEBrumSZG9Kh2p2Bi4sJfq2qUbrcHEYPeaeywMODpbiUsClLyU0bu2YZo2iKob1BWzq7hM+u1QRh7lis4=; 25:Cxb/KSPLcJ0eRGEAuExVmtFsCO4iAqgXp5qpBPI4g/KnV6oEm4N9DcZXo0QV0qv2ZvxjSve7AnW3+A/tfa1qBhf60pwmazoQlCLDge7jwz50q0AmEd9IFMt7VB59LAPgJsWrVxqTG4KE81QGRiXeLAGvz6XkhBiSQE8C8mL9kBE4Kr2c7UuUHqHwLZ5c6URNivVccUqqzxVvVKOGed6MwQ0ncrbadTYIph93eWlRbblXch8pDgN9/z/ovj9s5DjHwMJm2SkJUyuto8fo1RLos7wZLod/FsDxMaQ75law21miSZA/yIFuDJvR7FSnDSFHhzlN6mfEixKIbxvX8Pfecw== X-MS-TrafficTypeDiagnostic: BN3PR0501MB1250: X-Microsoft-Exchange-Diagnostics: 1; BN3PR0501MB1250; 31:gQIPXvjt0PPqc+TvJZ5NkglF7jM3MAG1I5kHqiiUIMLzSHx7P6iUdVhxisv10SBaeHFVBJT/7sAkflMxn/TWBcp110UFqei13zTS7QE1P260XO8w4uUqBhyYCGz5K73Ig/nqbeaXe4qJF8QR+ipAyyA1YbDonaOSMwbE6PWEwvOM6qP25DXj0FkNpfNk/ISfxvfVqV+VWijsoLIxnab0CiTGGQ4wzfgUHLEiqM+rmMQ=; 20:Rw08h/wab9rWvrWDfh5/dTaq4B6kHrrSZIj2O1uyaqjaqQz44d2fq7dmHwYP8C5Gv3+jjOxrLlqWMSDqQVJOc6IsQaRQj2NwwVb/PWIp9uah98PpL8PdupOhUl1sMl67btJMWREOgNItmqcaAzoesWEs95ISZNtZ+8KE6c1Sz9TDnyBYIqItCvJpcFWs01Tgx94Hm9Ctm56ISouQNGr0Z36gZHw/Qk4kCAVxSuDLxdhrv45XDKPwdbCAOxHuqtTHuUEPIMkA2Z1ofxzua5ErjVHtShQHvg9nx2aIG/8TSrE0DNSN1VQ27lQvZdBnSx3jFVmDhGuxOpwo5Swq1v7U0GemF0gcnojOVl6Dqctv1JCPlEqm1qMzMTGxeY0p1hr8PrZsk7tLTp5JbJDGJW/Eyr3fnEaDuLId/1ZeBCe6nPLLuJDhJE44kHpeWy8IEfTtytICMZTY3KJZNEEIEKbwx5hziDmHfD0bWg9T2UDoVFCcmeFL3vl4dQmFJ5H3GQP7 X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-MS-Exchange-SenderADCheck: 1 X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93003095)(3002001)(3231311)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(6072148)(201708071742011)(7699016); SRVR:BN3PR0501MB1250; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1250; X-Microsoft-Exchange-Diagnostics: 1; BN3PR0501MB1250; 4:FQFuJ1/K3fAa8GNYyVFHqMqMjV2/qbfQqRzRSOkyf+ZmqrI/Z2BZStG0Z0pJxM2NMekgsceC23/JK62bvL48YkNGSpnhojNTzae8N1DMkribLgvPYPjy8kjPBwa73WUqXKLDZXZlJo6/QG9g2hAHdiHIHVf8PDHwehMrGlLzmfN1GfzjADPn4ryPuEkteUouO+15ZdTAN6mQ+EnPe5Ulna2VbjZZQBztAu7ALF4JWjCGvIjFxxR2egZ0DaVTa+ILjwx2FgUC8Fst7yJf9bngZA== X-Forefront-PRVS: 0737B96801 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BN3PR0501MB1250; 23:oJwuZMr7WJiVS+seQ3lf5ulW/Bad0mcKLV7Txbk?= =?us-ascii?Q?RCxkKQCJfo5iJfG35QoYuzQfOQ8d7NisCkpAtcD9lKfBdJorvlR9Tzb0g9Gd?= =?us-ascii?Q?INen4o7+y5KhbZNuZ5XFBTZyrCzTWLOnqnnoiDMUcYzKHGqyIP2J6L/ku8+w?= =?us-ascii?Q?d+Oqddp9VgXtso9maPsC+6fdcxHCjd8RWBNYN92N3+bR8+Qlxw9iWyBiVhEa?= =?us-ascii?Q?Nw+EMOv9IvRKTdXdJMFK2f7lN1e6/uqAxc6txkJk3VHxWpP6fJBKqqm3kNxe?= =?us-ascii?Q?HHtRx7lUN0ZxO2JyRoLUZfzsv5yigrsJMsx5i37jnC9/BgwplC1EK9FjxYw9?= =?us-ascii?Q?8W8++C6LUnGyz/6wCuGakRcXMA98uRMJ5pQkLs6GUF8rGNuNKulZmMN+ThIn?= =?us-ascii?Q?Pl18VAHUCzl0RoAZhjo8YDMB+qxgxVJvIv+W5dDRUHzDmcSoqIg/KY98oIZ5?= =?us-ascii?Q?PiHWDJk6q+MbpNF23uV5Q31D48n46CBavRxhCgehDQRKQGXU9cnlF+wjiYsD?= =?us-ascii?Q?4GiZ8MWDPYMce8JX+S9PjJUdLqLf1oZYymvQ55sYi5tW9ujy5HRPendiY3zi?= =?us-ascii?Q?7RbdmoYBf4+F0cUV85eMR8zj1LnTQ3bZGnwU5oNWjwq4T2/Mb4vJU4bvfbIo?= =?us-ascii?Q?aE4ILDcS31CZ2QuNLuBi9/GntNcPYD6kmNuHFieUOF8Qj2kkfn6a4KHZG+ik?= =?us-ascii?Q?JJ9gHcVkCsvsLPds0rYiebGDc23wFVxHkD81L1Ex1XIjbLpcZFAZREI77O68?= =?us-ascii?Q?KK4b0IwhtYMNX7fAra4K8vPUCvOVJG5cJMe3wbVa9cZ+AG8sip/K2PN5Q5SZ?= =?us-ascii?Q?m2MHZ7//2bvOOoBwM8aj3aKRziWc1wSzG4izcpq2eXrUET0BokMZUOVjNnxg?= =?us-ascii?Q?5qc6+3FRQcHaMLT9r9Sjo2sJlnCvIAUfsepaHs7QZr+6fdgKC1Ejy+BuUlBC?= =?us-ascii?Q?xc1C1uJzn+FNbXo3gsdoeCavmmmZUda5iPB4X0pEdwcjzwwrqCYlhBFAATTD?= =?us-ascii?Q?PaCQIh7/cu0ISpgtV1+kUfIkW8KzCvM4MRc7ui29SCUYRs78fPvntWh0vvEc?= =?us-ascii?Q?p4iy5cY1OQ3BioAR0t6G/dnDPtWOrmG9KZNVwdeyuIUqHVLzPfV2aJefgEx4?= =?us-ascii?Q?H7ryhyFQKKBIpXKMYwI2GZl2vDWCfKpjvRCKz7n+P70La2G5ChP/PwAxPJaM?= =?us-ascii?Q?Itqc7BzaGePMrcGSorVA/BC5D1Cnn46C4bz1KjUaBcFY/ghzVr+zk4b9stCT?= =?us-ascii?Q?D66RnGn57AG7uMp4BU/b4f40BO3JYN3rsqU9XI+QsPDeW+k+PZaGJiX/t9If?= =?us-ascii?Q?IYewUkfNsnrOgyyRMLB8+Bx2fpEWcKo9WMUdwZMxR9JgKPjh/n/SNE2STcJl?= =?us-ascii?Q?9ykv6+VSq8EEaZLpWHpTzS6QDiOPgpTjqNevVTjdFaDMKoF45?= X-Microsoft-Antispam-Message-Info: pKfKwySyGjMvtH8SzmXbjYN7Ux89kNCXpYJq07UuKgalVnbyYRvmaQsNFMOohY6PCoERie+9x+T1F1URRLAGmcRjmQ2o3hIv7xVJS240F58GLPqYyzqlBpgSNLt4Kb05PbuX65iBfXxsiyNJ8bh1tNrw8mpwtNEXawfss/pZS7RbPXXJHQy/3bfhgYDt32Lnowo8ZiyxYLPtMR/vO+G4q+7nOs3G3V3CWKGAKQWuxNkGoheuB8z8wk5ebopk2ocC6S9f05mE4g+JBGm2nGOOsrqelW22s3cvxr7NruqBPqJ/6QqOxcY5hRIXPyuE+XVnrNlHPpBhWvHFky3HIsOi5MMPSOwntTtykjnIgrJznTK+tNlYgjW7D/jgjysZk/6TAgCV6izcUyZsbeWHuyoL0g== X-Microsoft-Exchange-Diagnostics: 1; BN3PR0501MB1250; 6:Fj0cTFXncSGSrmfWmwY3m/7paE+jQnqhyqgE7n4y58l2OpR7FutJBhJD5pvPDdCNXg2dL8LCVzq1Nb8Gdm5+95ZFcYkAgyPeCYrlPG4kjcMZibaow/cCWk6wuXISmvxdYy7Bx9T+7bkzzWSINLyD8pTisdV+0Rp0bwL/i3m+RAVYsy04dic8h5CtjfovuSVj8D7R1j/M/uFSuNjfHMJMHhLMypixQBuJMT3wdVstWkHRHYrkGz6bwbSa9CeUb2bm+SW5rpGNNbdIpnYEwFt2uV7WoYa4BXEDUEzT8zE+ICKX1u+ggjP0EZk6oD7ywKG617KdNJruJ3hhenG7+7C5OHG4UKRmyYreKw1Wl8riI+LSc6S5R57HkFkK063hZwbEsbYaYUhWos6e4lKyv2PwtABVffI7MsZIsynjYriEcWkfxfZzrr2ElMUUMMmCL6ULGaZSG8FfHvbVb05PwBTx5g==; 5:Y1x5Im7ZdG3noVIvR3ELmCx23M0E0q16wr6OiEFEwe4Datj04Fze0bfWcJj4fzjGNe5cYnkevfJtbhYqS4fhOm2TXsi1rqUi5QcJsAZUbIOoX4e1DuP0WxvKcTpaXgTH4a5+4wOMUOhGalMqMVJbaGvdujBzyQPqzWDGgcM7eFw=; 7:pJ9Zt6PZ/OcXNxAsVtMhIpWVT+SVwdylKfEGu5PvBJ97LHq4rPb1YVHBEqhU16FtTKcHtqqsA3gFLOfCg41E8s37sHJHf5/KFOtORFx3YjCyBGWRlEQLr940L8DNcTPDyeEFSRf4KGC12bEHRVG8aHnYOsGWYq0QDJDdgM5qs/ouducB/Vvmr2DWG32kEsQAXhizQaXrsLkZDOOVX6FVTnuOCTVbuGIRfzCn7ypBDxty639Rvunl2UzWuEc9gmur SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jul 2018 20:22:16.3750 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 196d8474-487b-4264-8b60-08d5ecec27a0 X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.242.12]; Helo=[P-EXFEND-EQX-01.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1250 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-18_06:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=369 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807180220 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 20:22:25 -0000 > - and/or change listening port of sshd Yes, I used to get lots of probes to sshd from china etc, some years ago, moved inbound to a high numbered port... no more noise.