I'm running Centos 7.8.2003, with firewalld.
I was getting huge numbers of ssh attempts per day from a few specific
ip blocks.
The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24
and 118.0.0.0/24, and they amounted to a multiple thousands of attempts
per day. I installed and configured fail2ban, but still saw a lot of
attempts in the logs, and the ipset created was filling up.
I did some more research, and decided to use a few rich rules to block
these attempts. I currently have these in place:
#firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: p3p1
sources:
services: dhcpv6-client ftp http https imap imaps pop3 pop3s
smtp-submission smtps ssh
ports: 110/tcp 995/tcp 143/tcp 993/tcp 25/tcp 21/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="49.0.0.0/24" reject
rule family="ipv4" source address="51.0.0.0/24" reject
rule family="ipv4" source address="111.0.0.0/24" reject
But I still get hundreds of attempts reported in my fail2ban logs from
these ip blocks. How is it that the rich rules don't drop these packets
before pam/ssh/fail2ban ever get to see them?
There must be some precedence in the firewalling I don't understand.
-chuck
--
ACCEL Services, Inc.| Specialists in Gravity, Magnetics | (713)993-0671 ph.
| and Integrated Interpretation | (713)993-0608 fax
448 W. 19th St. #325| Since 1992 | (713)306-5794 cell
Houston, TX, 77008 | Chuck Campbell | campbell at accelinc.com
| President & Senior Geoscientist |
"Integration means more than having all the maps at the same scale!"