1

Here's someone doing a bruteforce attack on my server for several days now, each time through a different external IP address (hundreds so far) but always through the same I assume local IP address: 192.168.2.33

Question is, is there a way to create an iptable rule to block by that specific internal IP address regardless of its external IP address used? I've tried blocking that IP directly in CSF but to no avail.

2014-08-07 11:44:05 dovecot_login authenticator failed for ([192.168.2.33]) [109.233.105.3]:54006: 535 Incorrect authentication data (set_id=david)
2014-08-07 11:44:15 dovecot_login authenticator failed for ([192.168.2.33]) [109.233.105.3]:54006: 535 Incorrect authentication data (set_id=david)
2014-08-07 11:44:32 dovecot_login authenticator failed for ([192.168.2.33]) [109.233.105.3]:54006: 535 Incorrect authentication data (set_id=david)
2014-08-07 15:52:11 dovecot_login authenticator failed for ([192.168.2.33]) [211.147.18.84]:64810: 535 Incorrect authentication data (set_id=josh)
2014-08-07 15:52:17 dovecot_login authenticator failed for ([192.168.2.33]) [211.147.18.84]:64810: 535 Incorrect authentication data (set_id=josh)
Ivan
  • 893
  • 2
  • 9
  • 23
  • I didn't manage to find an explanation of what the two IP addresses in the logfile mean. However it appears lots of people are seeing `192.168.2.33` at that field in the log. But it its a local IP, so you couldn't be communicating with that IP across the internet. The other IP in the is likely the client IP. – kasperd Aug 07 '14 at 15:18

1 Answers1

1

I just had exactly this same problem. Iptables is a good idea, but you can also use hosts.[allow|deny], which I find is a little easier.

Example

Particularly strict example -- whitelist only. First deny everything:

# cat /etc/hosts.deny
ALL: ALL

And the allow rules:

# cat /etc/hosts.allow
sshd: 192.168.0.100

Also, this is a good article:

http://www.debian-administration.org/article/87/Keeping_SSH_access_secure

JDS
  • 2,508
  • 4
  • 29
  • 48