I'm running Centos 7.8.2003, with firewalld.
I was getting huge numbers of ssh attempts per day from a few specific ip blocks.
The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 and 118.0.0.0/24, and they amounted to a multiple thousands of attempts per day. I installed and configured fail2ban, but still saw a lot of attempts in the logs, and the ipset created was filling up.
I did some more research, and decided to use a few rich rules to block these attempts. I currently have these in place:
#firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: p3p1 sources: services: dhcpv6-client ftp http https imap imaps pop3 pop3s smtp-submission smtps ssh ports: 110/tcp 995/tcp 143/tcp 993/tcp 25/tcp 21/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="49.0.0.0/24" reject rule family="ipv4" source address="51.0.0.0/24" reject rule family="ipv4" source address="111.0.0.0/24" reject
But I still get hundreds of attempts reported in my fail2ban logs from these ip blocks. How is it that the rich rules don't drop these packets before pam/ssh/fail2ban ever get to see them?
There must be some precedence in the firewalling I don't understand.
-chuck