Block IP if it connects to port 22
How can I effectively (so do it fast when talking about firewall level and can do it with many-many IP's) block an IP address for a given time, ex.: a month if it tried to contact port 22 TCP in any manner, so port check, connect via ssh, etc.
How can I do it with iptables, OpenBSD pf?
The main idea is that SSHD is running on a non-default port and with this blocking method, we could harden our protection without any extra software.
It should block the IP with DROP, not RFC REJECT
UPDATE: I mean it should do it automatically. I don't want to give every IP address manually.
iptables pf
asked Mar 2 '16 at 9:29
nyipeternyipeter
12
add a comment |
How can I effectively (so do it fast when talking about firewall level and can do it with many-many IP's) block an IP address for a given time, ex.: a month if it tried to contact port 22 TCP in any manner, so port check, connect via ssh, etc.
How can I do it with iptables, OpenBSD pf?
The main idea is that SSHD is running on a non-default port and with this blocking method, we could harden our protection without any extra software.
It should block the IP with DROP, not RFC REJECT
UPDATE: I mean it should do it automatically. I don't want to give every IP address manually.
iptables pf
asked Mar 2 '16 at 9:29
nyipeternyipeter
12
1
I do not think blocking random IPs connecting to a port is the best of the ideas, and not over a long time. The iptables list can become rather long, and also running an SSHD in a different port is accounted for by many bots nowadays. Granted, less bad agents will find it. I do prefer to not expose SSH ports to the Internet, and use VPNs to get to ssh. Do not forget to use fail2ban applied to the port where the real service is running.
– Rui F Ribeiro
Mar 2 '16 at 11:47
add a comment |
How can I effectively (so do it fast when talking about firewall level and can do it with many-many IP's) block an IP address for a given time, ex.: a month if it tried to contact port 22 TCP in any manner, so port check, connect via ssh, etc.
How can I do it with iptables, OpenBSD pf?
The main idea is that SSHD is running on a non-default port and with this blocking method, we could harden our protection without any extra software.
It should block the IP with DROP, not RFC REJECT
UPDATE: I mean it should do it automatically. I don't want to give every IP address manually.
iptables pf
asked Mar 2 '16 at 9:29
nyipeternyipeter
12
How can I effectively (so do it fast when talking about firewall level and can do it with many-many IP's) block an IP address for a given time, ex.: a month if it tried to contact port 22 TCP in any manner, so port check, connect via ssh, etc.
How can I do it with iptables, OpenBSD pf?
The main idea is that SSHD is running on a non-default port and with this blocking method, we could harden our protection without any extra software.
It should block the IP with DROP, not RFC REJECT
UPDATE: I mean it should do it automatically. I don't want to give every IP address manually.
iptables pf
iptables pf
asked Mar 2 '16 at 9:29
nyipeternyipeter
12
asked Mar 2 '16 at 9:29
nyipeternyipeter
12
edited Mar 2 '16 at 11:01
nyipeter
asked Mar 2 '16 at 9:29
nyipeternyipeter
12
asked Mar 2 '16 at 9:29
nyipeternyipeter
12
asked Mar 2 '16 at 9:29
nyipeternyipeter
12
12
1
I do not think blocking random IPs connecting to a port is the best of the ideas, and not over a long time. The iptables list can become rather long, and also running an SSHD in a different port is accounted for by many bots nowadays. Granted, less bad agents will find it. I do prefer to not expose SSH ports to the Internet, and use VPNs to get to ssh. Do not forget to use fail2ban applied to the port where the real service is running.
– Rui F Ribeiro
Mar 2 '16 at 11:47
add a comment |
1
I do not think blocking random IPs connecting to a port is the best of the ideas, and not over a long time. The iptables list can become rather long, and also running an SSHD in a different port is accounted for by many bots nowadays. Granted, less bad agents will find it. I do prefer to not expose SSH ports to the Internet, and use VPNs to get to ssh. Do not forget to use fail2ban applied to the port where the real service is running.
– Rui F Ribeiro
Mar 2 '16 at 11:47
1
1
I do not think blocking random IPs connecting to a port is the best of the ideas, and not over a long time. The iptables list can become rather long, and also running an SSHD in a different port is accounted for by many bots nowadays. Granted, less bad agents will find it. I do prefer to not expose SSH ports to the Internet, and use VPNs to get to ssh. Do not forget to use fail2ban applied to the port where the real service is running.
– Rui F Ribeiro
Mar 2 '16 at 11:47
I do not think blocking random IPs connecting to a port is the best of the ideas, and not over a long time. The iptables list can become rather long, and also running an SSHD in a different port is accounted for by many bots nowadays. Granted, less bad agents will find it. I do prefer to not expose SSH ports to the Internet, and use VPNs to get to ssh. Do not forget to use fail2ban applied to the port where the real service is running.
– Rui F Ribeiro
Mar 2 '16 at 11:47
add a comment |
2 Answers
2
active
oldest
votes
You could use fail2ban or similar software, with a custom rule that blocked any IP address that tries to connect to port 22.
fail2ban manages automated blocking of hosts making unwanted connections (based on all sorts of criteria, including number of connection attempts, error messages in specific log files, attempts to fetch a particular URL, or pretty nearly anything you can think of and write a script to test for) as well as automated expiry of such blocks.
fail2ban is available packaged for most/all linux distros, and the home page is at: http://www.fail2ban.org/
answered Mar 3 '16 at 2:13
cascas
39.5k455103
add a comment |
Block Incoming Request From IP 1.2.3.4
The following command will drop any packet coming from the IP address 1.2.3.4:
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
Example port 22:
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP
Block outcoming
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
Example port 22:
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP
answered Mar 2 '16 at 10:02
GAD3RGAD3R
27.7k1958114
1
I updated the question.
– nyipeter
Mar 2 '16 at 11:02
add a comment |
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f267006%2fblock-ip-if-it-connects-to-port-22%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You could use fail2ban or similar software, with a custom rule that blocked any IP address that tries to connect to port 22.
fail2ban manages automated blocking of hosts making unwanted connections (based on all sorts of criteria, including number of connection attempts, error messages in specific log files, attempts to fetch a particular URL, or pretty nearly anything you can think of and write a script to test for) as well as automated expiry of such blocks.
fail2ban is available packaged for most/all linux distros, and the home page is at: http://www.fail2ban.org/
answered Mar 3 '16 at 2:13
cascas
39.5k455103
add a comment |
You could use fail2ban or similar software, with a custom rule that blocked any IP address that tries to connect to port 22.
fail2ban manages automated blocking of hosts making unwanted connections (based on all sorts of criteria, including number of connection attempts, error messages in specific log files, attempts to fetch a particular URL, or pretty nearly anything you can think of and write a script to test for) as well as automated expiry of such blocks.
fail2ban is available packaged for most/all linux distros, and the home page is at: http://www.fail2ban.org/
answered Mar 3 '16 at 2:13
cascas
39.5k455103
add a comment |
You could use fail2ban or similar software, with a custom rule that blocked any IP address that tries to connect to port 22.
fail2ban manages automated blocking of hosts making unwanted connections (based on all sorts of criteria, including number of connection attempts, error messages in specific log files, attempts to fetch a particular URL, or pretty nearly anything you can think of and write a script to test for) as well as automated expiry of such blocks.
fail2ban is available packaged for most/all linux distros, and the home page is at: http://www.fail2ban.org/
answered Mar 3 '16 at 2:13
cascas
39.5k455103
You could use fail2ban or similar software, with a custom rule that blocked any IP address that tries to connect to port 22.
fail2ban manages automated blocking of hosts making unwanted connections (based on all sorts of criteria, including number of connection attempts, error messages in specific log files, attempts to fetch a particular URL, or pretty nearly anything you can think of and write a script to test for) as well as automated expiry of such blocks.
fail2ban is available packaged for most/all linux distros, and the home page is at: http://www.fail2ban.org/
answered Mar 3 '16 at 2:13
cascas
39.5k455103
answered Mar 3 '16 at 2:13
cascas
39.5k455103
answered Mar 3 '16 at 2:13
cascas
39.5k455103
answered Mar 3 '16 at 2:13
cascas
39.5k455103
39.5k455103
add a comment |
add a comment |
Block Incoming Request From IP 1.2.3.4
The following command will drop any packet coming from the IP address 1.2.3.4:
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
Example port 22:
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP
Block outcoming
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
Example port 22:
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP
answered Mar 2 '16 at 10:02
GAD3RGAD3R
27.7k1958114
1
I updated the question.
– nyipeter
Mar 2 '16 at 11:02
add a comment |
Block Incoming Request From IP 1.2.3.4
The following command will drop any packet coming from the IP address 1.2.3.4:
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
Example port 22:
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP
Block outcoming
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
Example port 22:
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP
answered Mar 2 '16 at 10:02
GAD3RGAD3R
27.7k1958114
1
I updated the question.
– nyipeter
Mar 2 '16 at 11:02
add a comment |
Block Incoming Request From IP 1.2.3.4
The following command will drop any packet coming from the IP address 1.2.3.4:
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
Example port 22:
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP
Block outcoming
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
Example port 22:
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP
answered Mar 2 '16 at 10:02
GAD3RGAD3R
27.7k1958114
Block Incoming Request From IP 1.2.3.4
The following command will drop any packet coming from the IP address 1.2.3.4:
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
Example port 22:
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP
Block outcoming
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
Example port 22:
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP
answered Mar 2 '16 at 10:02
GAD3RGAD3R
27.7k1958114
answered Mar 2 '16 at 10:02
GAD3RGAD3R
27.7k1958114
answered Mar 2 '16 at 10:02
GAD3RGAD3R
27.7k1958114
answered Mar 2 '16 at 10:02
GAD3RGAD3R
27.7k1958114
27.7k1958114
1
I updated the question.
– nyipeter
Mar 2 '16 at 11:02
add a comment |
1
I updated the question.
– nyipeter
Mar 2 '16 at 11:02
1
1
I updated the question.
– nyipeter
Mar 2 '16 at 11:02
I updated the question.
– nyipeter
Mar 2 '16 at 11:02
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f267006%2fblock-ip-if-it-connects-to-port-22%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
I do not think blocking random IPs connecting to a port is the best of the ideas, and not over a long time. The iptables list can become rather long, and also running an SSHD in a different port is accounted for by many bots nowadays. Granted, less bad agents will find it. I do prefer to not expose SSH ports to the Internet, and use VPNs to get to ssh. Do not forget to use fail2ban applied to the port where the real service is running.
– Rui F Ribeiro
Mar 2 '16 at 11:47