[CentOS] Simple way to banish IP addresses ?

Fri Oct 9 19:01:50 UTC 2009
Toby Bluhm <tkb at alltechmedusa.com>

Toby Bluhm wrote:
> Niki Kovacs wrote:
>> Hi,
>>
>> I just set up a web server... and my bandwidth is being eaten by some 
>> chinese folks trying to brute-force-ssh their way into the machine.
>>
>> Is there a simple way to banish either single IP addresses or, maybe 
>> even better, whole IP classes ? I know it's feasible with iptables, but 
>> is there something more easily configurable ?
>>
>> Cheers,
>>
> 
> 
> Try fail2ban from rpmforge.
> 
> 


Also, if you're using the standard fw that ships with centos, you can 
stop entire blocks of IPs by manually inserting rules after iptables starts:

iptables -I RH-Firewall-1-INPUT 1 -s 1.2.3.4/24 -p tcp --dport 22 -j DROP

IP ranges by country:
http://www.countryipblocks.net/country-blocks/select-formats/

The IP ranges will change from time to time, so you have to check often.
You could script in a download from
http://www.countryipblocks.net/continents/ to keep it current.

Like someone said, if you have to keep ssh open to the world, changing 
the port number will dramatically cut down on the attempts.


-- 
tkb