How to stop failed login attempts by a domain

Question

I'm getting a ton of bruteforce attacks today from a domain rather then an IP. I tracked down the websites IP address and blocked it but I am still getting the bruteforce warnings. Can I some how use iptables to block a domain name?

alumni.xjtu.edu.cn

@SpacemanSpiff I would guess SSH, but i'm not sure. This is the message I get. 5 failed login attempts to account root (system) -- Large number of attempts from this IP: alumni.xjtu.edu.cn — Michael Howey, Nov 12 '12 at 22:13
I've been getting them every 5 minutes for the last 10 hours. Normally I block the IP and I'm good to go. @SpacemanSpiff — Michael Howey, Nov 12 '12 at 22:14

score 2 · Answer 1 · answered Nov 12 '12 at 22:50

2

Use a tool like fail2ban to automatically detect and ban these brute-force login attempts.

answered Nov 12 '12 at 22:50

Michael Hampton

237,123
42
477
940

score 1 · Answer 2 · answered Nov 12 '12 at 22:49

1

Ban 202.117.3.104. This IP has a PTR record (reverse dns) and it resolves to alumni.xjtu.edu.cn. Reverse DNS

answered Nov 12 '12 at 22:49

FINESEC

1,371
7
8

Tried that, didn't work – Michael Howey Nov 12 '12 at 22:54

score 1 · Accepted Answer · answered Nov 12 '12 at 22:59

You may want to consider doing a reverse DNS query, then a whois query do determine the network block and finally just drop the whole network block.

Commands:

host alumni.xjtu.cn
alumni.xjtu.edu.cn has address 202.117.3.104

whois 202.117.3.104
inetnum:        202.117.0.0 - 202.117.63.255
netname:        XJTU-CN
descr:          Xian Jiaotong University
descr:          Xian
descr:          Shanxi Province
...

iptables -A INPUT -p tcp --source 202.117.0.0/17 -j DROP

No more TCP connections from the whole university.

So basically run this line in putty? iptables -A INPUT -p tcp --source 202.117.0.0/17 -j DROP — Michael Howey, Nov 12 '12 at 23:06

How to stop failed login attempts by a domain

3 Answers3