On Sun, 2020-06-21 at 14:33 -0500, Chuck Campbell wrote: > I'm running Centos 7.8.2003, with firewalld. > > I was getting huge numbers of ssh attempts per day from a few specific > ip blocks. > > The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 > and 118.0.0.0/24, and they amounted to a multiple thousands of attempts > per day. It seems oddly coincidental that they are all x.0.0.y addresses - the netblocks they belong to are all much bigger than /24. I can understand getting attacks from a range of IPs from an ISP or the like, but the 51.0.0.0/24 is part of a UK government network and I think they would be all over it if a range of their network was being used for naughty purposes. > > I did some more research, and decided to use a few rich rules to block > these attempts. I currently have these in place: > > #firewall-cmd --list-all > public (active) > target: default > icmp-block-inversion: no > interfaces: p3p1 > sources: > services: dhcpv6-client ftp http https imap imaps pop3 pop3s > smtp-submission smtps ssh > ports: 110/tcp 995/tcp 143/tcp 993/tcp 25/tcp 21/tcp > protocols: > masquerade: no > forward-ports: > source-ports: > icmp-blocks: > rich rules: > rule family="ipv4" source address="49.0.0.0/24" reject > rule family="ipv4" source address="51.0.0.0/24" reject > rule family="ipv4" source address="111.0.0.0/24" reject Is that the correct interface referred to in the zone? Can you see the rich rules implemented properly in the output of 'iptables -L'? (They should be in the chain IN_public_deny.) > > But I still get hundreds of attempts reported in my fail2ban logs from > these ip blocks. How is it that the rich rules don't drop these packets > before pam/ssh/fail2ban ever get to see them? Is fail2ban stopping the individual hosts? Do you have the recidive rule enabled to permaban them? Do you get legitimate SSH connections from anywhere? Can you remove the ssh service and add rich rules to allow certain hosts or netblocks to connect via port 22? Finally, do you have a network firewall that can be used to block the connections? > There must be some precedence in the firewalling I don't understand. Yes, there is a precedence, but it should be working in your favour - the chain 'IN_public' contains the public inbound chain and it should contain: # iptables -L IN_public Chain IN_public (2 references) target prot opt source destination IN_public_log all -- anywhere anywhere IN_public_deny all -- anywhere anywhere IN_public_allow all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere So it should be denying packets before the allowing them (and the IN_public_allow chain is what contains your ssh service definition). P.