I'm running fail2ban to attempt to block malicious brute-force password dictionary attacks against ssh. They seem to be rolling through a block of ip addresses as the source to defeat this kind of screening, so I've set some ip addresses to be blocked in iptables. Here is the output of iptables -L (edited): Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-VSFTPD tcp -- anywhere anywhere tcp dpt:ftp fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh RH-Firewall-1-INPUT all -- anywhere anywhere DROP all -- 116.10.191.0/24 anywhere DROP all -- 183.136.220.0/24 anywhere DROP all -- 183.136.221.0/24 anywhere DROP all -- 183.136.222.0/24 anywhere DROP all -- 183.136.223.0/24 anywhere DROP all -- 122.224.11.0/24 anywhere DROP all -- 219.138.0.0/16 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-ho st-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere . . . Yet in my logwatch emails, I see this, long after the iptables rules are in place to drop some ip ranges: --------------------- pam_unix Begin ------------------------ sshd: Authentication Failures: root (116.10.191.166): 1 Time(s) root (116.10.191.167): 1 Time(s) root (116.10.191.170): 1 Time(s) root (116.10.191.173): 1 Time(s) root (116.10.191.179): 1 Time(s) root (116.10.191.182): 1 Time(s) root (116.10.191.186): 1 Time(s) root (116.10.191.199): 1 Time(s) root (116.10.191.203): 1 Time(s) root (116.10.191.211): 1 Time(s) root (116.10.191.219): 1 Time(s) root (116.10.191.223): 1 Time(s) root (116.10.191.226): 1 Time(s) root (116.10.191.228): 1 Time(s) root (116.10.191.237): 1 Time(s) <snip> --------------------- SSHD Begin ------------------------ Failed logins from: 116.10.191.165: 4 times 116.10.191.181: 3 times 116.10.191.201: 4 times 116.10.191.207: 4 times 116.10.191.218: 4 times 116.10.191.231: 4 times 116.10.191.234: 3 times 116.10.191.235: 4 times 116.10.191.239: 4 times If they keep going through this ip block, they will still get 255 attempts at the root password and 1020 attempts at other login/password combinations before they are blocked by fail2ban. Why is this ip range still able to attempt connections? Have I done something wrong with my address ranges, or added them in the wrong place? thanks, -chuck -- ACCEL Services, Inc.| Specialists in Gravity, Magnetics | (713)993-0671 ph. | and Integrated Interpretation | (713)993-0608 fax 448 W. 19th St. #325| Since 1992 | (713)306-5794 cell Houston, TX, 77008 | Chuck Campbell | campbell at accelinc.com | President & Senior Geoscientist | "Integration means more than having all the maps at the same scale!"