Unable to block address from trying to access my SSH server

Home Page Forums Network Management ZeroShell Unable to block address from trying to access my SSH server

This topic contains 3 replies, has 0 voices, and was last updated by  matthew.a.squires 4 years ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #44283

    I am unable to block address from trying to access my SSH server.
    I have tried the full IP range: NO LUCK
    I have tried the CIDR: NO LUCK.
    The same addresses keep trying long after the rule is applied…

    I got the CIDR from the site : http://www.myipaddressdetails.com/ip/113.195.145.70.html

    Please assist….

    Firewall Rules:

    blockedcountries Rules
    Seq Input Output Description Log Active
    1 * * DROP all opt — in * out * 58.0.0.0/8 -> 0.0.0.0/0 no
    2 * * DROP all opt — in * out * 218.0.0.0/8 -> 0.0.0.0/0 no
    3 * * DROP all opt — in * out * 115.0.0.0/8 -> 0.0.0.0/0 no
    4 * * DROP all opt — in * out * 182.0.0.0/8 -> 0.0.0.0/0 no
    5 * * DROP all opt — in * out * 222.0.0.0/8 -> 0.0.0.0/0 no
    6 * * DROP all opt — in * out * 221.0.0.0/8 -> 0.0.0.0/0 no
    7 * * DROP all opt — in * out * 60.0.0.0/8 -> 0.0.0.0/0 no
    8 * * DROP all opt — in * out * 113.0.0.0/8 -> 0.0.0.0/0 no
    9 * * DROP all opt — in * out * 182.0.0.0/8 -> 0.0.0.0/0 no
    10 * * DROP all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 source IP range 198.50.219.216-198.50.219.219 no
    11 * * DROP all opt — in * out * 90.0.0.0/8 -> 0.0.0.0/0 no

    How can I use the ACL from the site: “https://www.countryipblocks.net/country_selection.php” in Zeroshell to reduce the assault on my Zeroshell router????

    Here are some examples of them trying:

    22:40:46 User root not allowed because account is locked
    22:40:46 Failed none for invalid user root from 113.195.145.70 port 54887 ssh2
    22:40:46 error: Could not get shadow information for NOUSER
    22:40:46 Failed password for invalid user root from 113.195.145.70 port 54887 ssh2
    22:40:46 Failed password for invalid user root from 113.195.145.70 port 54887 ssh2
    22:40:46 Failed password for invalid user root from 113.195.145.70 port 54887 ssh2
    22:40:47 Connection from 113.195.145.70 port 33558
    22:40:49 User root not allowed because account is locked
    22:40:49 Failed none for invalid user root from 113.195.145.70 port 33558 ssh2
    22:40:49 error: Could not get shadow information for NOUSER
    22:40:49 Failed password for invalid user root from 113.195.145.70 port 33558 ssh2
    22:40:49 Failed password for invalid user root from 113.195.145.70 port 33558 ssh2
    22:40:50 Failed password for invalid user root from 113.195.145.70 port 33558 ssh2
    22:40:50 Connection from 113.195.145.70 port 40981
    22:40:52 User root not allowed because account is locked
    22:40:52 Failed none for invalid user root from 113.195.145.70 port 40981 ssh2
    22:40:53 error: Could not get shadow information for NOUSER
    22:40:53 Failed password for invalid user root from 113.195.145.70 port 40981 ssh2
    22:40:53 Failed password for invalid user root from 113.195.145.70 port 40981 ssh2
    22:40:53 Failed password for invalid user root from 113.195.145.70 port 40981 ssh2
    22:40:54 Connection from 113.195.145.70 port 49260
    22:40:56 User root not allowed because account is locked
    22:40:56 Failed none for invalid user root from 113.195.145.70 port 49260 ssh2
    22:40:56 error: Could not get shadow information for NOUSER
    22:40:56 Failed password for invalid user root from 113.195.145.70 port 49260 ssh2
    22:40:56 Failed password for invalid user root from 113.195.145.70 port 49260 ssh2
    22:40:57 Failed password for invalid user root from 113.195.145.70 port 49260 ssh2
    22:40:57 Connection from 113.195.145.70 port 56738
    22:40:59 User root not allowed because account is locked
    22:40:59 Failed none for invalid user root from 113.195.145.70 port 56738 ssh2

    #53810

    redfive
    Participant

    If you need ssh acces from your wan interface (otherwise, you may simply play with the ssh tab), you may take a look at your SYS_SSH chain

    root@captive ~> iptables -L SYS_SSH -v
    Chain SYS_SSH (1 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- lo any anywhere anywhere
    0 0 ACCEPT all -- any any 192.168.0.0/24 anywhere
    485 38144 ACCEPT all -- ETH02 any anywhere anywhere
    78 5908 ACCEPT all -- ETH01 any anywhere anywhere
    0 0 DROP all -- any any anywhere anywhere

    Then add a line for each CIDR you want block, eg with 50.0.0.0/8

    root@captive ~> iptables -I SYS_SSH -s 50.0.0.0/8 -j DROP

    Lets look now the ssh chain

    root@captive ~> iptables -L SYS_SSH -v
    Chain SYS_SSH (1 references)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- any any 50-0-0-0.static.sonic.net/8 anywhere
    0 0 ACCEPT all -- lo any anywhere anywhere
    0 0 ACCEPT all -- any any 192.168.0.0/24 anywhere
    579 44556 ACCEPT all -- ETH02 any anywhere anywhere
    78 5908 ACCEPT all -- ETH01 any anywhere anywhere
    0 0 DROP all -- any any anywhere anywhere

    Remember , -I (–insert) will add the rule always at the top of the chain, so if you add 4 rules, the 4th will be the 1st, the 3rd the 2nd and so on.. you may add the rules in the post-boot script.
    Regards

    #53811

    I will DROP all inbound traffic in my WAN Port and ALLOW the USA Country ACL.

    So !!! Is the a way in Zeroshell for me to add all of a Country ACL (IP Addresses) with the CIDR Notations ????

    #53812

    redfive
    Participant

    From web ui, System, Setup, ssh, you can declare from which interfaces (and which ip addresses) is allowed the ss management, once you declare a rule, an implicit ‘deny any’ is added at the end.
    So, you may allow the management from the internal lans (or ip addresses) then add rules for wan interface and your IP Addresses Blocks.
    Regards

    #53813

    Thank You for your response. I was putting to much through and effort into my network security and over thinking the process. I forgot about the acronym “KISS (Keep It Simple Stupid)”.
    I was able to build on it and added additional security to me Debian Server. For Example, I limited access from the WAN connected to a small section of a carrier Sub-Net. Now, my Router is not crashing as a result of Processor Overload due to external assault.

    Thank You very much…..

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.