2

I am getting repeated login attempts from this IP address, 45.135.232.165, apparently a known Russian abusive host. I want to block all traffic on all ports from the entire subnet 45.135.232.*, so I did

ufw deny from 45.135.232.0/24

ufw status shows the rule as

To                         Action      From
--                         ------      ----
Anywhere                   DENY        45.135.232.0/24

However, lastb still reports daily login attempts from the above mentioned address. What am I missing?

Christian Brinch
  • 23
  • 4

1 Answers1

2

Under normal circumstances, the mentioned command should work perfectly. However, if it’s not working as expected, then you need to see if there’s an existing rule in the iptable allowing the same IP to have access to your machine. If that’s the case, then your system will give it priority over the deny rule because it appears first in the iptable rule set.

To fix this issue, you need to prioritize the ufw deny rule over the other rules set for the same IP/subnet on your system. Run the following command:

              ufw insert 1 deny from 45.135.232.0/24

The insert 1 part in the above command puts the rule at 1st position in the iptables rule set. Hence, it’s prioritized over any other rule set for the same IP.

For different scenarios, you can check here that may help you.

Priya Gaikwad
  • 181
  • 2
  • 1
    Aha! I did not know that. I thought deny always took precedence over allow. I had allow from anywhere to any port 22 as my first rule. – Christian Brinch Jun 24 '21 at 11:52