On Sun, Jun 21, 2020 at 12:33 PM Chuck Campbell <campbell at accelinc.com> wrote: > I'm running Centos 7.8.2003, with firewalld. > > I was getting huge numbers of ssh attempts per day from a few specific > ip blocks. > > The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 > and 118.0.0.0/24, > so just 45.0.0.0 through 45.0.0.255 and not other 45.x.y blocks ? ditto your other networks? sure you didn't mean /8 or another sized subnet on there? doing some whois, the actual 45.0.0.0 block has a netmask of /15, which is 45.0.0.0 through 45.1.255.255, and belongs to Interop, the IT trade show. 45.2.0.0/16 belongs to Frontier Networks in Ontario, CA 45.3.0.0/19 belongs to Start Cable in Ontario 45.3.32.0/19 belongs to someone in Los Vegas. 45.3.64.0/18 belongs to Virginia Polytechnic 45.3.128.0/17 belongs to Charter Cable (formerly Bright House Networks) 45.4.0.0/14 is LANIC, and further diced into a multitude of Latin America networks. 45.8.0.0/13 is RIPE, and diced into various european networks. etc etc etc. anyways, I didn't see your rules explicitly blocking 22/tcp, which is ssh... -- -john r pierce recycling used bits in santa cruz