Blocking IP addresses that keep hammering?

[ryno267]

In my LogWatch reports everyday - I continue to get the same two IP's that keep trying to log into an old demo account I had. I setup a demo account for the control panel and they somehow found it and used it for emailing... I stopped all that and eliminated the account, but they keep pinging my sever trying to get into that old account.

Is there a way to completely block these IP's from my server so they don't even show up in the LogWatch anymore?
Maybe you guys should ban these IP's too cause they are spammers.

LogWatch:

--------------------- SSHD Begin ------------------------ 
Failed logins from these:
   admin/password from 211.46.49.252: 2 Time(s)
   admin/password from 66.114.227.251: 6 Time(s)
   guest/password from 211.46.49.252: 1 Time(s)
   guest/password from 66.114.227.251: 3 Time(s)
   root/password from 211.46.49.252: 3 Time(s)
   root/password from 66.114.227.251: 9 Time(s)
   test/password from 211.46.49.252: 3 Time(s)
   test/password from 66.114.227.251: 6 Time(s)
   user/password from 211.46.49.252: 1 Time(s)
   user/password from 66.114.227.251: 3 Time(s)

**Unmatched Entries**
Illegal user test from 211.46.49.252
Illegal user test from 211.46.49.252
Illegal user guest from 211.46.49.252
Illegal user admin from 211.46.49.252
Illegal user admin from 211.46.49.252
Illegal user user from 211.46.49.252
Illegal user test from 211.46.49.252
Illegal user test from 66.114.227.251
Illegal user guest from 66.114.227.251
Illegal user admin from 66.114.227.251
Illegal user admin from 66.114.227.251
Illegal user user from 66.114.227.251
Illegal user test from 66.114.227.251
Illegal user test from 66.114.227.251
Illegal user guest from 66.114.227.251
Illegal user admin from 66.114.227.251
Illegal user admin from 66.114.227.251
Illegal user user from 66.114.227.251
Illegal user test from 66.114.227.251
Illegal user test from 66.114.227.251
Illegal user guest from 66.114.227.251
Illegal user admin from 66.114.227.251
Illegal user admin from 66.114.227.251
Illegal user user from 66.114.227.251
Illegal user test from 66.114.227.251
---------------------- SSHD End -------------------------

thanks much guys!

 

[hostmoon]

Install APF and BFD from here: http://www.r-fx.org/proj.php

 

[SarcNBit]

You didn't say what OS you were running.

If you are running iptables, you can enter:

iptables -A INPUT -s <IP> -j DROP

as root from a shell inserting the IP you want to block for <IP> and repeat as needed.

 

[ramprage]

To block and IP in APF go to /etc/apf and pico deny_hosts.conf. Scroll down and add the IP addresses you need to block, each on a separate line. Comments with more details are in the file.

http://www.webhostgear.com/61.html

 

[easyhttp]

it's fairly useless because the IP's tend to change quickly or are compromisd hosts themselves.

 

[JamieH]

What i do

Well what i do is (on red hat 9) is edit the /etc/hosts.allow and hosts.deny files

I have it to where only me and techs can access ssh

 

[NovemberRain]

Just change the ssh port to something else.

 

[easyhttp]

maybe disabled all SHH access for a while would help

 

[Chew]

Just change the ssh port to something else.

that's just what I did...

Changed my port number, and now, haven't had a single login attempt for about a month now.

Chew

 

[ryno267]

How do you change your ssh port number. And what else does that effect on the server?

 

[gorilla]

Hey ryno267,

to block IPs from your server just log into root :

and use this command
[email protected] [~]# iptables -A INPUT -p tcp -s 67.111.75.70 -j DROP
(or what ever other IP)


And when you want to clear out the iptables, you will just issue:
iptables -F or -D

 

[ryno267]

I get this error when trying to do that

[email protected] [/]# iptables -A INPUT -p tcp -s 211.46.49.252 -j DROP
bash: iptables: command not found

 

[gorilla]

I get this error when trying to do that

[email protected] [/]# iptables -A INPUT -p tcp -s 211.46.49.252 -j DROP
bash: iptables: command not found

That command line was for RedHat9, what OS are you running ?

 

[SarcNBit]

I am not sure why you would limit it to TCP traffic (-p tcp). The post I made earlier would cover all traffic from a single IP.

You didn't say what OS you were running.

If you are running iptables, you can enter:

iptables -A INPUT -s <IP> -j DROP

as root from a shell inserting the IP you want to block for <IP> and repeat as needed.

 

[gorilla]

I am not sure why you would limit it to TCP traffic (-p tcp). The post I made earlier would cover all traffic from a single IP.

U r right SarcNBit

 

[ryno267]

I still get same error with those iptable commands SarcNBit...

I'm running RedHat 9 i686 (what it says in my whm)

[email protected] [/]# iptables -A INPUT -s 211.46.49.252 -j DROP
bash: iptables: command not found

 

[SarcNBit]

Do you have /sbin/iptables?

What are the permissions on the file?

 

[ryno267]

okay... THANKS for telling me where it was located

cd /sbin/

then

[email protected] [/sbin]# ./iptables -A INPUT -s 211.46.49.252 -j DROP
[email protected] [/sbin]# ./iptables -A INPUT -s 66.114.227.251 -j DROP
[email protected] [/sbin]# ./iptables -A INPUT -s 80.254.111.178 -j DROP


It seemed to work! woot...


thanks... !

 

[bmcpanel]

Got the following from a post on one of the forums I visit. It seems to work quite well.
------------------------------------

/sbin/route add -host 111.111.111.111 reject

Whereas 111.111.111.111 is the origin ip.

this will kill all incoming and outgoing connections from that IP.

there is no file it's written to. it is kept in the kernel routing table
(which is in memory).

if you would like to save the information after rebooting, just add the commands
to /etc/rc.d/rc.local and it will re-execute them when the server comes back online.

 

[SarcNBit]

okay... THANKS for telling me where it was located

You could always try 'locate iptables'