Issue of SSH logins causing firewall rules to be created, blocking where I am logging in from
Ran commands from LISH:
sudo iptables -L INPUT -v -n | grep "Charter business address"
343 24167 DROP all – * * Charter business address 0.0.0.0/0
sudo iptables -D INPUT -s Charter business address -j DROP
sudo iptables -D FORWARD -s Charter business address -j DROP
sudo firewall-cmd --runtime-to-permanent
sudo vim /etc/hosts.deny
ALL:189.122.7.254
ALL:85.143.222.81
ALL:182.72.245.217
ALL:80.59.144.203
ALL:201.83.61.6
ALL: Deleted line for office Charter business internet.
ALL:104.238.169.119
Finished at 10:54. Services working shortly after.
DenyHosts not installed.
1035 14/02/17 10:51:06 sudo systemctl status -l denyhosts
Unit could not be found.
1036 14/02/17 10:51:34 yum list denyhosts
Available Packages
denyhosts.noarch 2.9-4.el7 epel
Not finding a cause.
Looked at:
sudo cat /var/log/secure | grep 'Feb 14 '
Feb 14 07:48:42 zori sshd[25890]: pam_unix(sshd:session): session closed for user davida
Feb 14 10:47:23 zori sshd[30434]: pam_unix(sshd:session): session opened for user davida by (uid=0)
Worked from home. Blocked at office.
Looked at:
sudo cat /var/log/messages | grep 'Feb 14 10:4'
Feb 14 10:47:23 zori sshd[30434]: Accepted publickey for davida from Charter business address port 58122 ssh2: RSA 51:0f:bc:e0:5d:4d:e9:b2:b8:82:ca:76:52:20:06:b7
Feb 14 10:47:23 zori systemd-logind: New session 17838 of user davida.
Linode is CentOS 7.3, so no /var/log/auth.log.
3 Replies
sudo cat /var/ossec/logs/active-responses.log | grep 50.187.22.173
Wed Feb 15 22:43:42 EST 2017 /var/ossec/active-response/bin/host-deny.sh add - 50.187.22.173 1487216622.637682 5715
Wed Feb 15 22:43:42 EST 2017 /var/ossec/active-response/bin/firewall-drop.sh add - 50.187.22.173 1487216622.637682 5715
Working through a few things. Why block good computers? Adding a white_list line to the configuration has not stopped the blocking.
sudo cat /var/ossec/logs/active-responses.log | grep "Home IP address." Came back empty.