iptables regras não soltando IPs

Navegue suas respostas
1

Eu tenho um servidor LTS 14.04.3 confiável com o fail2ban em execução. Eu tenho estado sob ataque de 43.229.53.71; o último octeto pode mudar. Meus arquivos auth.log mostram entradas como esta: 

Dec 11 15:02:51 M1 sshd[5138]: Failed password for root from 43.229.53.71 port 39734 ssh2
Dec 11 15:02:51 M1 sshd[5138]: pam_winbind(sshd:auth): getting password (0x00000388)
Dec 11 15:02:51 M1 sshd[5138]: pam_winbind(sshd:auth): pam_get_item returned a password
Dec 11 15:02:51 M1 sshd[5138]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Dec 11 15:02:53 M1 sshd[5138]: Failed password for root from 43.229.53.71 port 39734 ssh2
Dec 11 15:02:53 M1 sshd[5138]: Received disconnect from 43.229.53.71: 11:  [preauth]
Dec 11 15:02:53 M1 sshd[5138]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.71  user=root

Aqui estão minhas regras do iptables: 

root@M1:/etc# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 7736 packets, 6163K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 fail2ban-mysqld-auth  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 3306
2       45  2838 fail2ban-apache-overflows  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
3       45  2838 fail2ban-apache-noscript  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
4       45  2838 fail2ban-apache-multiport  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
5     1581  100K fail2ban-ssh-ddos  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
6     5080 5449K fail2ban-pam-generic  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
7     1581  100K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
8        0     0 REJECT     tcp  --  *      *       43.225.53.71         0.0.0.0/0            tcp dpt:22 reject-with icmp-port-unreachable
9        0     0 REJECT     tcp  --  *      *       43.225.0.0/16        0.0.0.0/0            tcp dpt:22 reject-with icmp-port-unreachable
10       0     0 DROP       all  --  *      *       43.225.0.0/16        0.0.0.0/0
11       0     0 DROP       all  --  *      *       43.225.0.0/16        0.0.0.0/0
12       0     0 DROP       all  --  *      *       43.225.53.71         0.0.0.0/0
13       0     0 DROP       all  --  *      *       43.225.53.71         0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5703 packets, 4217K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-apache-multiport (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       45  2838 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fail2ban-apache-noscript (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       45  2838 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fail2ban-apache-overflows (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       45  2838 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fail2ban-mysqld-auth (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fail2ban-pam-generic (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1     5080 5449K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fail2ban-ssh (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1     1581  100K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fail2ban-ssh-ddos (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1     1581  100K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Quando eu habilito o SSH, eles começam a atacar conforme mostrado nos logs. Por que os pacotes desse intervalo de IP não estão sendo descartados? Eu devo estar perdendo algo simples, alguma idéia?

    
por IC1 11.12.2015 / 22:21

1 resposta

1

As únicas regras que podem eliminar / rejeitar pacotes SSH são: 

8        0     0 REJECT     tcp  --  *      *       43.225.53.71         0.0.0.0/0            tcp dpt:22 reject-with icmp-port-unreachable
9        0     0 REJECT     tcp  --  *      *       43.225.0.0/16        0.0.0.0/0            tcp dpt:22 reject-with icmp-port-unreachable
10       0     0 DROP       all  --  *      *       43.225.0.0/16        0.0.0.0/0
11       0     0 DROP       all  --  *      *       43.225.0.0/16        0.0.0.0/0
12       0     0 DROP       all  --  *      *       43.225.53.71         0.0.0.0/0
13       0     0 DROP       all  --  *      *       43.225.53.71         0.0.0.0/0

enquanto o IP do convidado indesejado é 43.229.53.71. Observe a diferença no segundo octeto: 229! = 225.

    
por Marcin Kaminski 11.12.2015 / 22:47
recebe um erro ao tentar instalar o google chrome swap perdido e nenhuma ideia porque