Ip in /root/blocked_ips.txt still not blocked

[stanbluijs]

Hi,

I have a Centos vps for more some while now and since today i have problems to block a ip adress. Normaly i block ip's with the brute force monitor, but one ip is in the blocked_ips.txt but is still able to try to brute force me. My direct admin is up to date and i believe i'm running Contos 5.8. I don't understand why the IP is not blocked while others are.

I hope someone understands my problem and is able to help me.

Thanks
Stan

 

[zEitEr]

Hello,

service iptables restart

and see if the IP gets blocked.

 

[stanbluijs]

Thanks for your replay, i tried it several times yesterday. I even removed the ip from the list and blocked it again. Without any luck.

 

[stanbluijs]

actually, i tried

/etc/init.d/iptables restart

but if i type

service iptables restart

i get the response
bash: service: command not found

 

[zEitEr]

Then you'd better post here your iptables rules with

iptables-save

and specify what IP is not blocked.

 

[stanbluijs]

I think you need this:

# Generated by iptables-save v1.3.5 on Thu Aug 23 12:32:59 2012
*mangle
:PREROUTING ACCEPT [765:57158]
:INPUT ACCEPT [765:57158]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [585:369211]
:POSTROUTING ACCEPT [585:369211]
COMMIT
# Completed on Thu Aug 23 12:32:59 2012
# Generated by iptables-save v1.3.5 on Thu Aug 23 12:32:59 2012
*filter
:INPUT ACCEPT [765:57158]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [585:369211]
COMMIT
# Completed on Thu Aug 23 12:32:59 2012
# Generated by iptables-save v1.3.5 on Thu Aug 23 12:32:59 2012
*nat
:PREROUTING ACCEPT [6:368]
:POSTROUTING ACCEPT [2:148]
:OUTPUT ACCEPT [2:148]
COMMIT
# Completed on Thu Aug 23 12:32:59 2012

This morning after my earlier post, the ip 62.206.39.218 stopt his brute force. I hope it is blocked now, but i'm not sure.

 

[zEitEr]

Your iptables rules are not set, so it can't block anything if it's your real iptables.
If you aren't using csf, you should step-by-step one more time follow this guide:

http://help.directadmin.com/item.php?id=380

make sure to do

chkconfig iptables on

as soon as you finish with the guide.

 

[stanbluijs]

Thank you, i will do it.

 

[stanbluijs]

I tried your solution, but when i installed the new iptables and restarted it, my vps froze. I tried it a again and it happened again...

/etc/init.d/iptables restart
Shutting down firewall: 
                                                           [  OK  ]
Starting Firewall: 
                                                           [  OK  ]
FATAL: Could not load /lib/modules/2.6.18-238.12.1.el5.028stab091.1/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.18-238.12.1.el5.028stab091.1/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.18-238.12.1.el5.028stab091.1/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.18-238.12.1.el5.028stab091.1/modules.dep: No such file or directory
/etc/init.d/iptables: line 79: /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts: Operation not permitted
/etc/init.d/iptables: line 91: /proc/sys/net/ipv4/tcp_timestamps: Operation not permitted
/etc/init.d/iptables: line 100: /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses: Operation not permitted
/etc/init.d/iptables: line 103: /proc/sys/net/ipv4/ip_dynaddr: Operation not permitted
/etc/init.d/iptables: line 110: /proc/sys/net/ipv4/ip_local_port_range: Operation not permitted
/etc/init.d/iptables: line 113: /proc/sys/net/ipv4/tcp_fin_timeout: Operation not permitted
/etc/init.d/iptables: line 114: /proc/sys/net/ipv4/tcp_keepalive_time: Operation not permitted
/etc/init.d/iptables: line 115: /proc/sys/net/ipv4/tcp_window_scaling: Operation not permitted
/etc/init.d/iptables: line 116: /proc/sys/net/ipv4/tcp_sack: Operation not permitted
/etc/init.d/iptables: line 117: /proc/sys/net/ipv4/tcp_max_syn_backlog: Operation not permitted

i putted my iptables.backup back and it was working again. I don't know what to do now..

 

[Acoon]

May I recommend CSF instead? This allows you to control iptaples from Directadmin.
I use it and i automatically block IP's

http://configserver.com/cp/csf.html

Installation instructions
http://configserver.com/free/csf/install.txt

 

[zEitEr]

I tried your solution, but when i installed the new iptables and restarted it, my vps froze. I tried it a again and it happened again...

I guess VPS was not accessible vis SSH, but was still running. If your SSHd is listening any different from 22 port, then you should update /etc/init.d/iptables accordingly to reflect your real situation. Open the file and change port 22 to whatever you use there in /etc/ssh/sshd_config

 

[stanbluijs]

Thank you for the reply.

 

[zEitEr]

Did you manage to solve your issue and block attackers?

 

[stanbluijs]

I didn't find the time to try it yet. I hope that I can fix it this week.

 

[stanbluijs]

Hi zEitEr,
Found some time, but didn't find any luck

Made a backup from iptables
downloaded wget http://files1.directadmin.com/services/all/iptables
changed the line $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT to the port it uses
and changed the chmod

then i tried to restart the iptables and got the exact same error as before. (see earlier post)

if i use the iptables i have now (probably still not working) and i restart i got the following:

init.d]# /etc/init.d/iptables restart
Flushing firewall rules:                                    [  OK  ]
Setting chains to policy ACCEPT: mangle filter nat          [  OK  ]
Unloading iptables modules:                                 [  OK  ]
Applying iptables firewall rules:                           [  OK  ]

/sbin/service iptables save -> result:

Saving firewall rules to /etc/sysconfig/iptables:           [  OK  ]

that results in (/etc/sysconfig/iptables)

## Generated by iptables-save v1.3.5 on Tue Aug 28 15:29:45 2012
*mangle
:PREROUTING ACCEPT [136:25934]
:INPUT ACCEPT [136:25934]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [117:62110]
:POSTROUTING ACCEPT [117:62110]
COMMIT
# Completed on Tue Aug 28 15:29:45 2012
# Generated by iptables-save v1.3.5 on Tue Aug 28 15:29:45 2012
*filter
:INPUT ACCEPT [136:25934]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [117:62110]
COMMIT
# Completed on Tue Aug 28 15:29:45 2012
# Generated by iptables-save v1.3.5 on Tue Aug 28 15:29:45 2012
*nat
:PREROUTING ACCEPT [11:636]
:POSTROUTING ACCEPT [6:455]
:OUTPUT ACCEPT [6:455]
COMMIT
# Completed on Tue Aug 28 15:29:45 2012

I don't understand why the steps at http://help.directadmin.com/item.php?id=380 do not work for me.

I hope you can help me.

Chears,
Stan

 

[zEitEr]

I'm guessing you must be missing something.... but what exactly I can not say for what you posted here.

Why do you try to save your iptables?

/sbin/service iptables save

this is not a step from the guide.

And why do you try to use

/etc/sysconfig/iptables

this is not a step from the guide either.

You should use either /etc/sysconfig/iptables or /etc/init.d/iptables provided by Directadmin, you should learn the subject before you can mix them...

So step by step again either follow the guide and you'll get the things working, as it was done by many of us here and many times; or hire somebody to do the job for you (me or somebody else).

 

[stanbluijs]

In earlier post you asked me to post my iptables rules with

iptables-save

That is what i did with

/sbin/service iptables save

The result of that is saved in /etc/sysconfig/iptables

That are no steps indeed, but i tried to show you that it's still the same as before.

About a year ago i already followed the steps at http://help.directadmin.com/item.php?id=380
Then they worked for me, but 3 weeks ago i upgraded to centos 5.8 and from then the brute force monitor did not block them anymore.
If i try the steps again i got an error (posted earlier). You told me that it had probably to do with the wrong sshd port. I changed the sshd port without luck.

I can't afford to hire somebody because it is just a hobby and i would like to learn some of it.

How can i provide you the information you need to help me (if you still want to help me ofcourse).

 

[zEitEr]

iptables-save prints the current iptables rules, but there is no need (and I did not even ask you about it) to save them anywhere.

Normally the guide works, and I don't know any case when iptables would "freeze" a server. And I personally followed the guide both on virtual servers and dedicated servers, and it worked in 100% cases, despite on that I won't guarantee that it will work in your particular case as I don't know what exactly and how you do. And even this sentence

I changed the sshd port without luck.

does not bring any useful information. Where exactly did you do that? And how? Did you restart SSH service if you updated /etc/sshd_config?

And since I don't know for sure, what you mean by "vps froze" I can't help you. The issue with a SSH was my guess only.

So let's try one more time and print here everything you are asked about:

# grep ^Port /etc/ssh/sshd_config

# netstat -an | grep LISTEN | grep -v unix

# cat /etc/init.d/iptables

# cat /usr/local/directadmin/scripts/custom/block_ip.sh

# cat /usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh

And what your "vps froze" mean? How did you bring your VPS back after it froze?

I can't afford to hire somebody because it is just a hobby

PM me for a quote, just before you say such words.

 

[LawsHosting]

Slightly off topic.

The only reason to save is if you want them to be blocked on a restart from /etc/network/interfaces
eg.

iface eth0 inet static
post-up iptables-restore < /etc/iptables.up.rules

NB. I use Debian with WebMin, so, may be different

 

[stanbluijs]

I found this post http://www.directadmin.com/forum/showthread.php?t=44293&page=1
And found out that the error's where there to ignore and I blocked my own ip to be sure it was working and it is.

Thank you zEitEr's for your help (here and in the other post