www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Unable to block address from trying to access my SSH server

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
matthew.a.squires



Joined: 03 Jul 2008
Posts: 110

PostPosted: Mon May 11, 2015 2:42 am    Post subject: Unable to block address from trying to access my SSH server Reply with quote

I am unable to block address from trying to access my SSH server.
I have tried the full IP range: NO LUCK
I have tried the CIDR: NO LUCK.
The same addresses keep trying long after the rule is applied...


I got the CIDR from the site : http://www.myipaddressdetails.com/ip/113.195.145.70.html

Please assist....

Firewall Rules:

blockedcountries Rules
Seq Input Output Description Log Active
1 * * DROP all opt -- in * out * 58.0.0.0/8 -> 0.0.0.0/0 no
2 * * DROP all opt -- in * out * 218.0.0.0/8 -> 0.0.0.0/0 no
3 * * DROP all opt -- in * out * 115.0.0.0/8 -> 0.0.0.0/0 no
4 * * DROP all opt -- in * out * 182.0.0.0/8 -> 0.0.0.0/0 no
5 * * DROP all opt -- in * out * 222.0.0.0/8 -> 0.0.0.0/0 no
6 * * DROP all opt -- in * out * 221.0.0.0/8 -> 0.0.0.0/0 no
7 * * DROP all opt -- in * out * 60.0.0.0/8 -> 0.0.0.0/0 no
8 * * DROP all opt -- in * out * 113.0.0.0/8 -> 0.0.0.0/0 no
9 * * DROP all opt -- in * out * 182.0.0.0/8 -> 0.0.0.0/0 no
10 * * DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 source IP range 198.50.219.216-198.50.219.219 no
11 * * DROP all opt -- in * out * 90.0.0.0/8 -> 0.0.0.0/0 no



How can I use the ACL from the site: "https://www.countryipblocks.net/country_selection.php" in Zeroshell to reduce the assault on my Zeroshell router????


Here are some examples of them trying:

22:40:46 User root not allowed because account is locked
22:40:46 Failed none for invalid user root from 113.195.145.70 port 54887 ssh2
22:40:46 error: Could not get shadow information for NOUSER
22:40:46 Failed password for invalid user root from 113.195.145.70 port 54887 ssh2
22:40:46 Failed password for invalid user root from 113.195.145.70 port 54887 ssh2
22:40:46 Failed password for invalid user root from 113.195.145.70 port 54887 ssh2
22:40:47 Connection from 113.195.145.70 port 33558
22:40:49 User root not allowed because account is locked
22:40:49 Failed none for invalid user root from 113.195.145.70 port 33558 ssh2
22:40:49 error: Could not get shadow information for NOUSER
22:40:49 Failed password for invalid user root from 113.195.145.70 port 33558 ssh2
22:40:49 Failed password for invalid user root from 113.195.145.70 port 33558 ssh2
22:40:50 Failed password for invalid user root from 113.195.145.70 port 33558 ssh2
22:40:50 Connection from 113.195.145.70 port 40981
22:40:52 User root not allowed because account is locked
22:40:52 Failed none for invalid user root from 113.195.145.70 port 40981 ssh2
22:40:53 error: Could not get shadow information for NOUSER
22:40:53 Failed password for invalid user root from 113.195.145.70 port 40981 ssh2
22:40:53 Failed password for invalid user root from 113.195.145.70 port 40981 ssh2
22:40:53 Failed password for invalid user root from 113.195.145.70 port 40981 ssh2
22:40:54 Connection from 113.195.145.70 port 49260
22:40:56 User root not allowed because account is locked
22:40:56 Failed none for invalid user root from 113.195.145.70 port 49260 ssh2
22:40:56 error: Could not get shadow information for NOUSER
22:40:56 Failed password for invalid user root from 113.195.145.70 port 49260 ssh2
22:40:56 Failed password for invalid user root from 113.195.145.70 port 49260 ssh2
22:40:57 Failed password for invalid user root from 113.195.145.70 port 49260 ssh2
22:40:57 Connection from 113.195.145.70 port 56738
22:40:59 User root not allowed because account is locked
22:40:59 Failed none for invalid user root from 113.195.145.70 port 56738 ssh2
_________________
Thank You;
Matthew Squires
Back to top
View user's profile Send private message Send e-mail
redfive



Joined: 27 Aug 2009
Posts: 232

PostPosted: Mon May 11, 2015 6:14 am    Post subject: Reply with quote

If you need ssh acces from your wan interface (otherwise, you may simply play with the ssh tab), you may take a look at your SYS_SSH chain
Code:
root@captive ~> iptables -L SYS_SSH -v
Chain SYS_SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     192.168.0.0/24       anywhere
  485 38144 ACCEPT     all  --  ETH02  any     anywhere             anywhere
   78  5908 ACCEPT     all  --  ETH01  any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere
Then add a line for each CIDR you want block, eg with 50.0.0.0/8
Code:
root@captive ~> iptables -I SYS_SSH -s 50.0.0.0/8 -j DROP
Lets look now the ssh chain
Code:
root@captive ~> iptables -L SYS_SSH -v
Chain SYS_SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     50-0-0-0.static.sonic.net/8  anywhere
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     192.168.0.0/24       anywhere
  579 44556 ACCEPT     all  --  ETH02  any     anywhere             anywhere
   78  5908 ACCEPT     all  --  ETH01  any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere
Remember , -I (--insert) will add the rule always at the top of the chain, so if you add 4 rules, the 4th will be the 1st, the 3rd the 2nd and so on.. you may add the rules in the post-boot script.
Regards
Back to top
View user's profile Send private message
matthew.a.squires



Joined: 03 Jul 2008
Posts: 110

PostPosted: Mon May 11, 2015 4:54 pm    Post subject: Reply with quote

I will DROP all inbound traffic in my WAN Port and ALLOW the USA Country ACL.

So !!! Is the a way in Zeroshell for me to add all of a Country ACL (IP Addresses) with the CIDR Notations ????
_________________
Thank You;
Matthew Squires
Back to top
View user's profile Send private message Send e-mail
redfive



Joined: 27 Aug 2009
Posts: 232

PostPosted: Mon May 11, 2015 5:40 pm    Post subject: Reply with quote

From web ui, System, Setup, ssh, you can declare from which interfaces (and which ip addresses) is allowed the ss management, once you declare a rule, an implicit 'deny any' is added at the end.
So, you may allow the management from the internal lans (or ip addresses) then add rules for wan interface and your IP Addresses Blocks.
Regards
Back to top
View user's profile Send private message
matthew.a.squires



Joined: 03 Jul 2008
Posts: 110

PostPosted: Wed May 13, 2015 11:42 am    Post subject: Reply with quote

Thank You for your response. I was putting to much through and effort into my network security and over thinking the process. I forgot about the acronym "KISS (Keep It Simple Stupid)".
I was able to build on it and added additional security to me Debian Server. For Example, I limited access from the WAN connected to a small section of a carrier Sub-Net. Now, my Router is not crashing as a result of Processor Overload due to external assault.

Thank You very much.....
_________________
Thank You;
Matthew Squires
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group