Hi there,
newbie here so my question may be stupid
Well, the thing is, i was looking for a solution regarding brutal force attacks because i got like 200 per day notifications (and some of them has like several thousands failed logins) and the first thing i found was of course this: http://help.directadmin.com/item.php?id=380 ...but i got little scared, some of my users would kill me if something went wrong (i mean, it says that there's no support from direct admin guys right), so i thought i'll try something else. I blocked those IPs via iptables through ssh with "iptables -A INPUT -s xx.xx.xx.xx -j DROP" command which now looks like this:
Chain INPUT (policy ACCEPT 75M packets, 6040M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any 122.224.48.71 anywhere
240 11520 DROP all -- any any s15439909.onlinehome-server.info anywhere
149 8940 DROP all -- any any 46-236-97-96.customer.t3.se anyw here
351 21060 DROP all -- any any TRIONET-235-122.trionet.cz anywh ere
0 0 DROP all -- any any 122.225.97.96 anywhere
5 200 DROP all -- any any 122.225.97.71 anywhere
0 0 DROP all -- any any 122.224.48.71 anywhere
120 5760 DROP all -- any any s242970652.online.de anywhere
0 0 DROP all -- any any 218.2.0.127 anywhere
0 0 DROP all -- any any 192.126.120.37 anywhere
0 0 DROP all -- any any 202.109.143.18 anywhere
0 0 DROP all -- any any TRIONET-235-122.trionet.cz anywh ere
0 0 DROP all -- any any 218.2.0.125 anywhere
0 0 DROP all -- any any 113.107.233.142 anywhere
0 0 DROP all -- any any 192.126.120.37 anywhere
0 0 DROP all -- any any 192.126.120.86 anywhere
0 0 DROP all -- any any 122.225.109.100 anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 416M packets, 319G bytes)
pkts bytes target prot opt in out source destination
So those IPs should be blocked as far as i know, right? But i still got notifications about their brute force attacks. So i'm obviously missing something. I wouldnt mind to manually block IPs since there are not too much of new ones but i guess i need to do something else? Any advice is appreciated.
newbie here so my question may be stupid
Well, the thing is, i was looking for a solution regarding brutal force attacks because i got like 200 per day notifications (and some of them has like several thousands failed logins) and the first thing i found was of course this: http://help.directadmin.com/item.php?id=380 ...but i got little scared, some of my users would kill me if something went wrong (i mean, it says that there's no support from direct admin guys right), so i thought i'll try something else. I blocked those IPs via iptables through ssh with "iptables -A INPUT -s xx.xx.xx.xx -j DROP" command which now looks like this:Chain INPUT (policy ACCEPT 75M packets, 6040M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any 122.224.48.71 anywhere
240 11520 DROP all -- any any s15439909.onlinehome-server.info anywhere
149 8940 DROP all -- any any 46-236-97-96.customer.t3.se anyw here
351 21060 DROP all -- any any TRIONET-235-122.trionet.cz anywh ere
0 0 DROP all -- any any 122.225.97.96 anywhere
5 200 DROP all -- any any 122.225.97.71 anywhere
0 0 DROP all -- any any 122.224.48.71 anywhere
120 5760 DROP all -- any any s242970652.online.de anywhere
0 0 DROP all -- any any 218.2.0.127 anywhere
0 0 DROP all -- any any 192.126.120.37 anywhere
0 0 DROP all -- any any 202.109.143.18 anywhere
0 0 DROP all -- any any TRIONET-235-122.trionet.cz anywh ere
0 0 DROP all -- any any 218.2.0.125 anywhere
0 0 DROP all -- any any 113.107.233.142 anywhere
0 0 DROP all -- any any 192.126.120.37 anywhere
0 0 DROP all -- any any 192.126.120.86 anywhere
0 0 DROP all -- any any 122.225.109.100 anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 416M packets, 319G bytes)
pkts bytes target prot opt in out source destination
So those IPs should be blocked as far as i know, right? But i still got notifications about their brute force attacks. So i'm obviously missing something. I wouldnt mind to manually block IPs since there are not too much of new ones but i guess i need to do something else? Any advice is appreciated.
