[CentOS] Simple way to banish IP addresses ?

Mon Oct 12 20:20:03 UTC 2009
Amos Shapira <amos.shapira at gmail.com>

There is an iptables geoip module to allow you to specify countries. I
never used it thought.

The advantage of denyhosts is that it not only bans addresses but also
shares banned hosts with a network of a few thousands of installations
(an opt-in option), so you are not on your own.

Moving ssh to a none standard port is the best thing you can do under
the circumstances you describe, IMHO.

Another option might be to tar-pit attackers (using iptables) - that
way you can slow down their traffic so hopefully they'll eat less of
your bandwidth.

-Amos

On 10/10/09, Toby Bluhm <tkb at alltechmedusa.com> wrote:
> Toby Bluhm wrote:
>> Niki Kovacs wrote:
>>> Hi,
>>>
>>> I just set up a web server... and my bandwidth is being eaten by some
>>> chinese folks trying to brute-force-ssh their way into the machine.
>>>
>>> Is there a simple way to banish either single IP addresses or, maybe
>>> even better, whole IP classes ? I know it's feasible with iptables, but
>>> is there something more easily configurable ?
>>>
>>> Cheers,
>>>
>>
>>
>> Try fail2ban from rpmforge.
>>
>>
>
>
> Also, if you're using the standard fw that ships with centos, you can
> stop entire blocks of IPs by manually inserting rules after iptables starts:
>
> iptables -I RH-Firewall-1-INPUT 1 -s 1.2.3.4/24 -p tcp --dport 22 -j DROP
>
> IP ranges by country:
> http://www.countryipblocks.net/country-blocks/select-formats/
>
> The IP ranges will change from time to time, so you have to check often.
> You could script in a download from
> http://www.countryipblocks.net/continents/ to keep it current.
>
> Like someone said, if you have to keep ssh open to the world, changing
> the port number will dramatically cut down on the attempts.
>
>
> --
> tkb
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>