How to block an entire IP range?

snowweb

snowweb

Verified User
Joined
Aug 31, 2007
Messages
144
Location
Antipolo City, Rizal, Philippines (a British Natio
Hi, my VPS is under continual and heavy attack from a china IP address. I don't mind if all my websites are not available from China. Therefore, could someone please tell me how I can block access to an entire range IP range please?

Also, these are the entries in my Proftp Auth Log:

ProFTPd [11541] ::ffff:61.142.176.73 [29/May/2009:09:41:35 +0800] "PASS (hidden)" 530
ProFTPd [11541] ::ffff:61.142.176.73 [29/May/2009:09:41:35 +0800] "USER Administrator" 331
ProFTPd [11518] ::ffff:61.142.176.73 [29/May/2009:09:41:36 +0800] "USER Administrator" 331
ProFTPd [11598] ::ffff:61.142.176.73 [29/May/2009:09:41:36 +0800] "USER Administrator" 331
ProFTPd [11598] ::ffff:61.142.176.73 [29/May/2009:09:41:36 +0800] "PASS (hidden)" 530
ProFTPd [11598] ::ffff:61.142.176.73 [29/May/2009:09:41:37 +0800] "USER Administrator" 331
ProFTPd [11604] ::ffff:61.142.176.73 [29/May/2009:09:41:37 +0800] "USER Administrator" 331
ProFTPd [11598] ::ffff:61.142.176.73 [29/May/2009:09:41:37 +0800] "PASS (hidden)" 530
ProFTPd [11598] ::ffff:61.142.176.73 [29/May/2009:09:41:37 +0800] "USER Administrator" 331
ProFTPd [11543] ::ffff:61.142.176.73 [29/May/2009:09:41:37 +0800] "PASS (hidden)" 530
ProFTPd [11562] ::ffff:61.142.176.73 [29/May/2009:09:41:37 +0800] "PASS (hidden)" 530
ProFTPd [11543] ::ffff:61.142.176.73 [29/May/2009:09:41:38 +0800] "USER Administrator" 331
ProFTPd [11604] ::ffff:61.142.176.73 [29/May/2009:09:41:38 +0800] "PASS (hidden)" 530
Click to expand...

This is just a truncated sample, the log is 190MB.

Does this mean that they gained access or not?

If they didn't gain access, I'm wondering why their IP was not automatically blocked after the 40 times unsuccessful login attemps, that I specified in DA Settings?

Thanks guys and sorry for the barrage of posts! I let all my queries mount up!

Regards, pete
 
I'm wondering why their IP was not automatically blocked after the 40 times unsuccessful login attemps, that I specified in DA Settings?
Click to expand...

Because they are trying to login through ftp and not DirectAdmin. ;)



Code: 
# These are temporary blocks until iptables is restarted
# To block one ip:
iptables -I INPUT -s 61.142.176.73 -j DROP

# To block ip range:
iptables -I INPUT -s 61.142.176.0/24 -j DROP

# To make block permanent 
iptables-save > /etc/sysconfig/iptables


.
 
Last edited:
Ah, thanks for that floyd. I really have to try to get my head round this iptables stuff sometime soon! Anyhow, thanks for the commands, I entered one with the range and one which saves the changes and all seemed to be accepted without any problem.

Good point about why the DA hadn't blocked the address automatically. Didn't think of that. Thanks for your help.

pete
 
You must log in or register to reply here.
Back
Top