[CentOS] iptables question

Mon Jun 16 21:58:18 UTC 2014
Chuck Campbell <campbell at accelinc.com>

I'm running fail2ban to attempt to block malicious brute-force password
dictionary attacks against ssh. They seem to be rolling through a block of ip
addresses as the source to defeat this kind of screening, so I've set some ip
addresses to be blocked in iptables. Here is the output of iptables -L (edited):

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
fail2ban-VSFTPD  tcp  --  anywhere             anywhere            tcp dpt:ftp
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
RH-Firewall-1-INPUT  all  --  anywhere             anywhere           
DROP       all  --  116.10.191.0/24      anywhere           
DROP       all  --  183.136.220.0/24     anywhere           
DROP       all  --  183.136.221.0/24     anywhere           
DROP       all  --  183.136.222.0/24     anywhere           
DROP       all  --  183.136.223.0/24     anywhere           
DROP       all  --  122.224.11.0/24      anywhere           
DROP       all  --  219.138.0.0/16       anywhere           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  anywhere             anywhere           
REJECT     all  --  anywhere             anywhere            reject-with icmp-ho
st-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere           
.
.
.

Yet in my logwatch emails, I see this, long after the iptables rules are in
place to drop some ip ranges:

 --------------------- pam_unix Begin ------------------------

 sshd:
    Authentication Failures:
       root (116.10.191.166): 1 Time(s)
       root (116.10.191.167): 1 Time(s)
       root (116.10.191.170): 1 Time(s)
       root (116.10.191.173): 1 Time(s)
       root (116.10.191.179): 1 Time(s)
       root (116.10.191.182): 1 Time(s)
       root (116.10.191.186): 1 Time(s)
       root (116.10.191.199): 1 Time(s)
       root (116.10.191.203): 1 Time(s)
       root (116.10.191.211): 1 Time(s)
       root (116.10.191.219): 1 Time(s)
       root (116.10.191.223): 1 Time(s)
       root (116.10.191.226): 1 Time(s)
       root (116.10.191.228): 1 Time(s)
       root (116.10.191.237): 1 Time(s)
<snip>

 --------------------- SSHD Begin ------------------------


 Failed logins from:
 
    116.10.191.165: 4 times
    116.10.191.181: 3 times
    116.10.191.201: 4 times
    116.10.191.207: 4 times
    116.10.191.218: 4 times
    116.10.191.231: 4 times
    116.10.191.234: 3 times
    116.10.191.235: 4 times
    116.10.191.239: 4 times

If they keep going through this ip block, they will still get 255 attempts at
the root password and 1020 attempts at other login/password combinations before
they are blocked by fail2ban.

Why is this ip range still able to attempt connections? Have I done something
wrong with my address ranges, or added them in the wrong place?

thanks,
-chuck

-- 
ACCEL Services, Inc.| Specialists in Gravity, Magnetics |  (713)993-0671 ph.
                    |   and Integrated Interpretation   |  (713)993-0608 fax
448 W. 19th St. #325|            Since 1992             |  (713)306-5794 cell
 Houston, TX, 77008 |          Chuck Campbell           | campbell at accelinc.com
                    |  President & Senior Geoscientist  |

     "Integration means more than having all the maps at the same scale!"