Very easy/simple way to block traffic from an IP/range of IP
Help?
14 Replies
James
@melancthon:
Well, I have some idiot repeatedly trying to ssh into my Linode. I was wondering if there is a very simple way for me to just drop all that traffic from that IP. My Linode's network server is hovering at a constant 10k bits/sec, and the CPU is right at 2.0% constant.
Help?
fail2ban can be setup to use iptables to block hosts that repeatedly attempt and fail to login. denyhosts is similar but uses tcpwrappers by default.
iptables -N SSHSCAN
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent --set --name SSH
iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP
from
This blocks any new SSH attempts from an IP which has attempted 3 in the previous five minutes. It really puts the brakes on the brute force attacks.
Whitelisting your own IPs first is recommended, in case you open a bunch of connections within the time frame.
[edited to correct double-dashes]
@Xan:
Whitelisting your own IPs first is recommended, in case you open a bunch of connections within the time frame.
i learned this the hard way when completing scp with bash-completion turned on… every time you hit tab, it opened a new connection to the host
blockhosts.py
Try it and you may love it as I do.
ywliu
HTH
C
Not only that, but the method I outlined above doesn't involve any permanent IP banning, which I like to avoid whenever possible.
@Xan:
I don't understand why you would install extra packages and extra software to do a job that can be done by four iptables commands. "Keep it simple" would definitely be my philosophy for something like this.
Not only that, but the method I outlined above doesn't involve any permanent IP banning, which I like to avoid whenever possible.
And it's a great method. Thanks for that, I'm using it (slightly modified) now.
I'm using fail2ban presently which is seeming to do the trick as well as notifying me when it happens with the IP, so I can put on my diplomat hat and send nasty emails to support people requesting action!
But I'm surprised you're having trouble with iptables modules. They were part of the Linode kernel, at least when I started using them. Are you running the latest kernel?