[CentOS] Intrusion Attempt Prevension - iptables problems

Mon Jan 12 18:37:58 UTC 2009
James B. Byrne <byrnejb at harte-lyne.ca>

I have these rules in effect:

]# iptables --list --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    DROP       all  --  202.14.0.0/24        anywhere
2    DROP       all  --  220.232.0.0/24       anywhere
3    ACCEPT     all  --  anywhere             anywhere
4    ACCEPT     icmp --  anywhere             anywhere            icmp any
5    ACCEPT     esp  --  anywhere             anywhere
6    ACCEPT     ah   --  anywhere             anywhere
7    ACCEPT     udp  --  anywhere             224.0.0.251         udp
dpt:mdns
8    ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
9    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
10   ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
11   ACCEPT     tcp  --  216.185.71.0/24      anywhere            tcp
dpts:ftp-data:ftp
12   ACCEPT     tcp  --  216.185.71.0/25      anywhere            tcp
dpt:ssh state NEW
13   DROP       tcp  --  anywhere             anywhere            tcp
dpt:ssh state NEW recent: CHECK seconds: 10 name: THROTTLE side: source
14   ACCEPT     tcp  --  anywhere             anywhere            tcp
dpt:ssh state NEW recent: SET name: THROTTLE side: source
15   ACCEPT     tcp  --  209.47.176.0/25      anywhere            tcp
dpt:ssh state NEW
16   ACCEPT     tcp  --  anywhere             anywhere            tcp
dpt:ssh state NEW

...

Note particularly line 2.

Now, notwithstanding the above, I see this in my /var/log/secure file:

Jan 12 13:36:02 inet01 sshd[16056]: Received disconnect from
220.232.152.137: 11: Bye Bye
Jan 12 13:36:13 inet01 sshd[16062]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=avalon.aty-group.com 
user=root
Jan 12 13:36:15 inet01 sshd[16062]: Failed password for root from
220.232.152.137 port 38722 ssh2
Jan 12 13:36:15 inet01 sshd[16063]: Received disconnect from
220.232.152.137: 11: Bye Bye
Jan 12 13:36:26 inet01 sshd[16070]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=avalon.aty-group.com 
user=root
Jan 12 13:36:27 inet01 sshd[16070]: Failed password for root from
220.232.152.137 port 39287 ssh2
Jan 12 13:36:28 inet01 sshd[16071]: Received disconnect from
220.232.152.137: 11: Bye Bye
Jan 12 13:36:38 inet01 sshd[16078]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=avalon.aty-group.com 
user=root
Jan 12 13:36:40 inet01 sshd[16078]: Failed password for root from
220.232.152.137 port 39863 ssh2
Jan 12 13:36:40 inet01 sshd[16079]: Received disconnect from
220.232.152.137: 11: Bye Bye


What is wrong with my IPTABLES rules that this connection is permitted?


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3