These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for iptables question on the new forum.
While checking out /var/log/secure, I noticed that a particular IP address has been repeatedly trying to gain access to my system. The log is full of messages of the type:
Jan 25 23:53:50 admin sshd[27108]: refused connect from BAD.IP.ADD.RESS (BAD.IP.ADD.RESS)
In an attempt to make my server more secure, I did the following:
iptables -A INPUT -s BAD.IP.ADD.RESS -j DROP /sbin/service iptables save
When I did a iptables -L, the system reported:
DROP all -- BAD.IP.ADD.RESS anywhere
so all looks good, however, the log continues to show refused connections from this IP.
Questions: Did I take the right actions to block this IP address? - If yes, then why am I continuing to see the log entries? - If no, then what should I do?
Thank you.
This sound like someone is trying brute force against your server. I dont think blocking just one IP or even few does any good as person from the other side can easy change IP or in most cases use botnet with hundreds or even thousands of IP's. I can tell you what i did with my server (clean/fresh Centos 7 with Webmin/Virtualmin) - first i removed SSH login with password and instead use keys.
mkdir ~/.ssh; touch ~/.ssh/authorized_keys; chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys
# The default requires explicit activation of protocol 1
Protocol 2
In case you dont have it or it say something else change to what you see here.
Another thing you can do is change default SSH port.
From now on you will use key to authenticate SSH on non-default port. Nothing is 100% safe but at least you made a lot harder for people to brute force your server.
To be sure you will not delete your two files with keys open your email (pref. new email on gmail) and send it to yourself. Use same email for similar things and just that, do not use it publicly or give to anyone.
You can use fail2ban but honestly i gave up as i encounter so many problems with Centos 7 that made me crazy (it was ok on Centos 6.6).
I dont think for myself as some sort of sysadmin guru so if you want wait and see what others have to say.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Hi,
In addition to the above ideas, it's good practice to install an "intrusion detection system" (IDS) on your server to automate protection against annoying attacks.
The IDS will detect common attacks and take appropriate measures to reduce the impact you face. In addition, if the attack is serious enough and potentially affecting other customers I'd report the matter to your provider to see if they can take measures higher in the network infrastructure.
A few IDS' that come to mind are:
OSSEC (http://www.ossec.net)
Fail2Ban (http://www.fail2ban.org)
Best Regards,
Peter Knowles
TPN Solutions
Email: pknowles@tpnsolutions.com
Phone: 604-782-9342
Skype: tpnsupport
Website: http://www.tpnsolutions.com
Ask me about my new support plans which include a FREE copy of Virtualmin Pro!!!
Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist