Blocked IP-ranges on server manually, but still getting Failed Logins in Brute Force?

BakkerM

Verified User
Joined
Jul 10, 2015
Messages
33
Hi all,

As we were getting fed up with hundred login attempts from China, Russia, USA, etc. I decided to look up all IP's with 50 or more login attempts and made a complete list of IP-ranges.
This resulted in a very good list, but though I have added the IP's to iptables (and saved it ofcourse) I discovered this morning there are still login attempts...?

If I ban a range, like this:
Code:
iptables -A INPUT -s 89.248.168.0/24 -j DROP

It should completely block anyone on 89.248.168.x who will try to login to the DA panel, email, ssh, etc. Right?


I don't know what I am doing wrong here, but I just noticed the following this morning:
Code:
89.248.168.219	150	Dec 12 15:09	Dec 13 08:40	No	No	IP Info

So apparently they can still try to login? Or am I wrong....?


I also checked the ConfigServer Security & Firewall, but the rule is also in there:
Code:
Chain            num   pkts bytes target     prot opt in     out     source               destination         
INPUT            250      0     0 DROP       all  --  *      *       89.248.168.0/24      0.0.0.0/0

So why isn't this IP blocked completely and permantly?
By the way, this is just an example, it happens to all IP's I blocked.

FYI: I followed the tutorial at: https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm
OS: CentOS 6.9

Should I take other actions? And how can I permantly ban those IP's for real? Currently they can still access everything or at least try so...

Thanks in advance.
 
Last edited:
Hello,

When using CSF/LFD you should not run iptables command at all. You should do all the operations via csf.

Please run

Code:
csf --help

to see its usage details.
 
Still doesn't matter at all to be honest. Even if they are added in csf they keep brute-force login attempts. Oh well.
 
Really?

I run csf/lfd, and try your way:

Code:
iptables -A INPUT -s 89.248.168.0/24 -j DROP
iptables -A OUTPUT -d 89.248.168.0/24 -j DROP

checking:

Code:
# iptables-save | grep 89.248.168.0
-A INPUT -s 89.248.168.0/24 -j DROP
-A OUTPUT -d 89.248.168.0/24 -j DROP

results in:

Code:
# ping 89.248.168.1
PING 89.248.168.1 (89.248.168.1) 56(84) bytes of data.
64 bytes from 89.248.168.1: icmp_seq=1 ttl=60 time=0.764 ms
64 bytes from 89.248.168.1: icmp_seq=2 ttl=60 time=2.15 ms
^C
--- 89.248.168.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1679ms
rtt min/avg/max/mdev = 0.764/1.458/2.153/0.695 ms

so the block is not working, and counters are zero:

Code:
# iptables -L -v -n | grep 89.248.168.0
    0     0 DROP       all  --  *      *       89.248.168.0/24      0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            89.248.168.0/24

blocking with csf:

Code:
# csf -d 89.248.168.0/24
Adding 89.248.168.0/24 to csf.deny and iptables DROP...
DROP  all opt -- in eth0 out *  89.248.168.0/24  -> 0.0.0.0/0
REJECT  all opt -- in * out eth0  0.0.0.0/0  -> 89.248.168.0/24  reject-with icmp-port-unreachable

results in:

Code:
# ping 89.248.168.1
From 95.xx.xx.235 icmp_seq=1 Destination Port Unreachable
From 95.xx.xx.235 icmp_seq=1 Destination Port Unreachable
From 95.xx.xx.235 icmp_seq=1 Destination Port Unreachable^C


--- 89.248.168.1 ping statistics ---
0 packets transmitted, 0 received, +3653 errors

it's working:

Code:
# iptables -L -v -n | grep 89.248.168.0
    0     0 DROP       all  --  eth0   *       89.248.168.0/24      0.0.0.0/0
10066  846K REJECT     all  --  *      eth0    0.0.0.0/0            89.248.168.0/24     reject-with icmp-port-unreachable

OK, does not matter?

We don't know what you do wrong, and what rules you use there. So you should provide more details so that we could help you.
 
Back
Top