[CentOS] iptables question

16 Jun 2014


      I'm running fail2ban to attempt to block malicious brute-force password
dictionary attacks against ssh. They seem to be rolling through a block of ip
addresses as the source to defeat this kind of screening, so I've set some ip
addresses to be blocked in iptables. Here is the output of iptables -L (edited):
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
fail2ban-VSFTPD  tcp  --  anywhere             anywhere            tcp dpt:ftp
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
RH-Firewall-1-INPUT  all  --  anywhere             anywhere           
DROP       all  --  116.10.191.0/24      anywhere           
DROP       all  --  183.136.220.0/24     anywhere           
DROP       all  --  183.136.221.0/24     anywhere           
DROP       all  --  183.136.222.0/24     anywhere           
DROP       all  --  183.136.223.0/24     anywhere           
DROP       all  --  122.224.11.0/24      anywhere           
DROP       all  --  219.138.0.0/16       anywhere
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  anywhere             anywhere           
REJECT     all  --  anywhere             anywhere            reject-with icmp-ho
st-prohibited
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere           
.
.
.
Yet in my logwatch emails, I see this, long after the iptables rules are in
place to drop some ip ranges:
--------------------- pam_unix Begin ------------------------
sshd:
    Authentication Failures:
       root (116.10.191.166): 1 Time(s)
       root (116.10.191.167): 1 Time(s)
       root (116.10.191.170): 1 Time(s)
       root (116.10.191.173): 1 Time(s)
       root (116.10.191.179): 1 Time(s)
       root (116.10.191.182): 1 Time(s)
       root (116.10.191.186): 1 Time(s)
       root (116.10.191.199): 1 Time(s)
       root (116.10.191.203): 1 Time(s)
       root (116.10.191.211): 1 Time(s)
       root (116.10.191.219): 1 Time(s)
       root (116.10.191.223): 1 Time(s)
       root (116.10.191.226): 1 Time(s)
       root (116.10.191.228): 1 Time(s)
       root (116.10.191.237): 1 Time(s)
<snip>
--------------------- SSHD Begin ------------------------
Failed logins from:
116.10.191.165: 4 times
    116.10.191.181: 3 times
    116.10.191.201: 4 times
    116.10.191.207: 4 times
    116.10.191.218: 4 times
    116.10.191.231: 4 times
    116.10.191.234: 3 times
    116.10.191.235: 4 times
    116.10.191.239: 4 times
If they keep going through this ip block, they will still get 255 attempts at
the root password and 1020 attempts at other login/password combinations before
they are blocked by fail2ban.
Why is this ip range still able to attempt connections? Have I done something
wrong with my address ranges, or added them in the wrong place?
thanks,
-chuck
-- 
ACCEL Services, Inc.| Specialists in Gravity, Magnetics |  (713)993-0671 ph.
                    |   and Integrated Interpretation   |  (713)993-0608 fax
448 W. 19th St. #325|            Since 1992             |  (713)306-5794 cell
 Houston, TX, 77008 |          Chuck Campbell           | campbell@accelinc.com
                    |  President & Senior Geoscientist  |

     "Integration means more than having all the maps at the same scale!"

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[CentOS] iptables question