Monday, October 30, 2017

Blocking an IP Address

Well, well, well: I've acquired my very own hacker.

I was looking in my various log files to see if a broken disk was even trying to mount (it wasn't). The most recently written log file was /var/log/auth.log, so I opened it up and found messages along the lines of:

Oct 30 18:51:02 hal sshd[5843]: Failed password for root from xxx.yyy.zzz.aa port 39551 ssh2
Oct 30 18:51:07 hal sshd[5843]: message repeated 2 times: [ Failed password for root from xxx.yyy.zzz.aa port 39551 ssh2]
Oct 30 18:51:07 hal sshd[5843]: Received disconnect from xxx.yyy.zzz.aa port 39551:11:  [preauth]
Oct 30 18:51:07 hal sshd[5843]: Disconnected from xxx.yyy.zzz.aa port 39551 [preauth]
Oct 30 18:51:07 hal sshd[5843]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.yyy.zzz.aa  user=root

Where xxx.yyy.zzz.aa maps to a country that absolutely, positively, certainly is our friend.

Said frenemy wasn't happy trying just port 39551, and hit other ports as well. He/She/It is obviously trying a brute-force password attack against hal (That's never a good idea, Dave). The question is, what to do about it?

A quick Google Search found How Do I Block an IP Address on My Linux server?, which gives the answer: to block a specific address, use the command:

 sudo iptables -A INPUT -s xxx.yyy.zzz.aa -j DROP

where xxx.yyy.zzz.aa is the specific address you want to drop.

I did that, and it worked: the attack from that specific address stopped. But I'm sure there will be others.

It looks like that will work OK, but I'm also going to investigate ipsets, as noted in: How to block unwanted IP addresses on Linux efficiently. I'll let you know how it works.

P.S.: Should you “accidentally” block your weird uncle's IP, you can get it back with the command:

 sudo iptables -D INPUT -s xxx.yyy.zzz.aa -j DROP

0 comments: