Blacklisted IPs are still brutal force attacking

Mezotar

Verified User
Joined
Jun 27, 2014
Messages
7
Hi there,

newbie here so my question may be stupid:-) Well, the thing is, i was looking for a solution regarding brutal force attacks because i got like 200 per day notifications (and some of them has like several thousands failed logins) and the first thing i found was of course this: http://help.directadmin.com/item.php?id=380 ...but i got little scared, some of my users would kill me if something went wrong (i mean, it says that there's no support from direct admin guys right), so i thought i'll try something else. I blocked those IPs via iptables through ssh with "iptables -A INPUT -s xx.xx.xx.xx -j DROP" command which now looks like this:

Chain INPUT (policy ACCEPT 75M packets, 6040M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any 122.224.48.71 anywhere
240 11520 DROP all -- any any s15439909.onlinehome-server.info anywhere
149 8940 DROP all -- any any 46-236-97-96.customer.t3.se anyw here
351 21060 DROP all -- any any TRIONET-235-122.trionet.cz anywh ere
0 0 DROP all -- any any 122.225.97.96 anywhere
5 200 DROP all -- any any 122.225.97.71 anywhere
0 0 DROP all -- any any 122.224.48.71 anywhere
120 5760 DROP all -- any any s242970652.online.de anywhere
0 0 DROP all -- any any 218.2.0.127 anywhere
0 0 DROP all -- any any 192.126.120.37 anywhere
0 0 DROP all -- any any 202.109.143.18 anywhere
0 0 DROP all -- any any TRIONET-235-122.trionet.cz anywh ere
0 0 DROP all -- any any 218.2.0.125 anywhere
0 0 DROP all -- any any 113.107.233.142 anywhere
0 0 DROP all -- any any 192.126.120.37 anywhere
0 0 DROP all -- any any 192.126.120.86 anywhere
0 0 DROP all -- any any 122.225.109.100 anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 416M packets, 319G bytes)
pkts bytes target prot opt in out source destination

So those IPs should be blocked as far as i know, right? But i still got notifications about their brute force attacks. So i'm obviously missing something. I wouldnt mind to manually block IPs since there are not too much of new ones but i guess i need to do something else? Any advice is appreciated.
 
Hello,

Try this guide to configure CSF/LFD + BFM configuration:
http://forum.directadmin.com/showthread.php?t=44839

If you ant to follow your way, mentioned in your post, then you should check the first and the second column: pkts bytes
If you see zeros there, then it means no packet matched the rule.
And of course I'd suggest that you use:

Code:
iptables -A INPUT -s xx.xx.xx.xx -j DROP
iptables -A OUTPUT -d xx.xx.xx.xx -j DROP

to block both directions for an IP.
 
Back
Top