| Linode Forum https://forum.linode.com/ |
|
| Very easy/simple way to block traffic from an IP/range of IP https://forum.linode.com/viewtopic.php?f=19&t=3202 |
Page 1 of 1 |
| Author: | melancthon [ Sun Apr 06, 2008 8:44 pm ] |
| Post subject: | Very easy/simple way to block traffic from an IP/range of IP |
Well, I have some idiot repeatedly trying to ssh into my Linode. I was wondering if there is a very simple way for me to just drop all that traffic from that IP. My Linode's network server is hovering at a constant 10k bits/sec, and the CPU is right at 2.0% constant. Help? |
|
| Author: | zunzun [ Sun Apr 06, 2008 9:13 pm ] |
| Post subject: | |
As a stopgap measure, change the SSH port? James |
|
| Author: | mwalling [ Sun Apr 06, 2008 9:25 pm ] |
| Post subject: | |
iptables -A INPUT -s $IDOITS/$BLOCK -j DROP |
|
| Author: | rweir [ Sun Apr 06, 2008 9:26 pm ] |
| Post subject: | Re: Very easy/simple way to block traffic from an IP/range o |
melancthon wrote: Well, I have some idiot repeatedly trying to ssh into my Linode. I was wondering if there is a very simple way for me to just drop all that traffic from that IP. My Linode's network server is hovering at a constant 10k bits/sec, and the CPU is right at 2.0% constant.
Help? fail2ban can be setup to use iptables to block hosts that repeatedly attempt and fail to login. denyhosts is similar but uses tcpwrappers by default. |
|
| Author: | Xan [ Sun Apr 06, 2008 9:57 pm ] |
| Post subject: | |
I use just a handful of iptables rules to handle this. I think the whole Internet's being swept by these jerks, looking for an easy password. Try this: Code: iptables -N SSHSCAN from http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/ This blocks any new SSH attempts from an IP which has attempted 3 in the previous five minutes. It really puts the brakes on the brute force attacks. Whitelisting your own IPs first is recommended, in case you open a bunch of connections within the time frame. [edited to correct double-dashes] |
|
| Author: | mwalling [ Sun Apr 06, 2008 10:18 pm ] |
| Post subject: | |
Xan wrote: Whitelisting your own IPs first is recommended, in case you open a bunch of connections within the time frame.
i learned this the hard way when completing scp with bash-completion turned on... every time you hit tab, it opened a new connection to the host |
|
| Author: | melancthon [ Sun Apr 06, 2008 11:06 pm ] |
| Post subject: | |
Many thanks for the quick responses - I was a bit afraid of the sheer complexity that iptables can have, but the webmin interface for it wasn't too bad. For the time being I am just dropping all packets from the IP address; hopefully that will do the trick. I will look into these other options (such as ssh ports and addresses) as further measures as well. Thanks! |
|
| Author: | ywliu [ Sun Apr 06, 2008 11:40 pm ] |
| Post subject: | |
I have been using this less-known tool for quite a time. Very effective to prevent from SSH/FTP probing. blockhosts.py http://www.aczoom.com/cms/blockhosts Try it and you may love it as I do. ywliu |
|
| Author: | reallove [ Mon Apr 07, 2008 3:58 am ] |
| Post subject: | |
I use this for blocking unwanted sshd connections. Pretty good and effective. |
|
| Author: | chrisnolan [ Tue Apr 08, 2008 4:46 pm ] |
| Post subject: | |
try also the package "denyhosts" http://denyhosts.sourceforge.net/ HTH C |
|
| Author: | Xan [ Tue Apr 08, 2008 4:54 pm ] |
| Post subject: | |
I don't understand why you would install extra packages and extra software to do a job that can be done by four iptables commands. "Keep it simple" would definitely be my philosophy for something like this. Not only that, but the method I outlined above doesn't involve any permanent IP banning, which I like to avoid whenever possible. |
|
| Author: | kbrantley [ Tue Apr 08, 2008 5:12 pm ] |
| Post subject: | |
Xan wrote: I don't understand why you would install extra packages and extra software to do a job that can be done by four iptables commands. "Keep it simple" would definitely be my philosophy for something like this.
Not only that, but the method I outlined above doesn't involve any permanent IP banning, which I like to avoid whenever possible. And it's a great method. Thanks for that, I'm using it (slightly modified) now. |
|
| Author: | melancthon [ Tue Apr 08, 2008 5:35 pm ] |
| Post subject: | |
However, those 4 iptables commands require the use of other modules which I can't seem to get working for iptables. I'm using fail2ban presently which is seeming to do the trick as well as notifying me when it happens with the IP, so I can put on my diplomat hat and send nasty emails to support people requesting action! |
|
| Author: | Xan [ Tue Apr 08, 2008 5:40 pm ] |
| Post subject: | |
Certainly all these methods will work just fine. And the advantage of having so many options is if you have trouble with one you can try another. But I'm surprised you're having trouble with iptables modules. They were part of the Linode kernel, at least when I started using them. Are you running the latest kernel? |
|
| Author: | Xan [ Tue Apr 08, 2008 10:49 pm ] |
| Post subject: | |
melancthon described his error messages in a PM, and it turns out what was in my post won't work verbatim. All the double-dashes are some kind of fancy Unicode dash, perhaps the result of the CMS on the site I got them from. I'm correcting the original post so that the commands should work. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|