I'm running fail2ban to attempt to block malicious brute-force password
dictionary attacks against ssh. They seem to be rolling through a block of ip
addresses as the source to defeat this kind of screening, so I've set some ip
addresses to be blocked in iptables. Here is the output of iptables -L (edited):
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-VSFTPD tcp -- anywhere anywhere tcp dpt:ftp
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
RH-Firewall-1-INPUT all -- anywhere anywhere
DROP all -- 116.10.191.0/24 anywhere
DROP all -- 183.136.220.0/24 anywhere
DROP all -- 183.136.221.0/24 anywhere
DROP all -- 183.136.222.0/24 anywhere
DROP all -- 183.136.223.0/24 anywhere
DROP all -- 122.224.11.0/24 anywhere
DROP all -- 219.138.0.0/16 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-ho
st-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
.
.
.
Yet in my logwatch emails, I see this, long after the iptables rules are in
place to drop some ip ranges:
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (116.10.191.166): 1 Time(s)
root (116.10.191.167): 1 Time(s)
root (116.10.191.170): 1 Time(s)
root (116.10.191.173): 1 Time(s)
root (116.10.191.179): 1 Time(s)
root (116.10.191.182): 1 Time(s)
root (116.10.191.186): 1 Time(s)
root (116.10.191.199): 1 Time(s)
root (116.10.191.203): 1 Time(s)
root (116.10.191.211): 1 Time(s)
root (116.10.191.219): 1 Time(s)
root (116.10.191.223): 1 Time(s)
root (116.10.191.226): 1 Time(s)
root (116.10.191.228): 1 Time(s)
root (116.10.191.237): 1 Time(s)
<snip>
--------------------- SSHD Begin ------------------------
Failed logins from:
116.10.191.165: 4 times
116.10.191.181: 3 times
116.10.191.201: 4 times
116.10.191.207: 4 times
116.10.191.218: 4 times
116.10.191.231: 4 times
116.10.191.234: 3 times
116.10.191.235: 4 times
116.10.191.239: 4 times
If they keep going through this ip block, they will still get 255 attempts at
the root password and 1020 attempts at other login/password combinations before
they are blocked by fail2ban.
Why is this ip range still able to attempt connections? Have I done something
wrong with my address ranges, or added them in the wrong place?
thanks,
-chuck
--
ACCEL Services, Inc.| Specialists in Gravity, Magnetics | (713)993-0671 ph.
| and Integrated Interpretation | (713)993-0608 fax
448 W. 19th St. #325| Since 1992 | (713)306-5794 cell
Houston, TX, 77008 | Chuck Campbell | campbell@xxxxxxxxxxxx
| President & Senior Geoscientist |
"Integration means more than having all the maps at the same scale!"
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
