How to block / blacklist IP-address

Hardware: VPS bought online
YunoHost version: 3.8.4.6 (stable).
I have access to my server:  SSH & webadmin

I have been searching the forum and documentation on how to block IP-addresses in Yunohost.

I am currently testing out Yunohost on a VPS, as soon as i boot up the server i see several Chinese IP-addresses trying to connect via ssh on random ports.
Same IP-addresses are being unbanned and banned.

Is it possible to permanently block or blacklist IP-addresses somehow?
Or at least have the ban last longer?

2020-06-02 14:51:28,812 fail2ban.filter         [1024]: INFO    [sshd] Found 222.186.30.112
2020-06-02 14:51:28,959 fail2ban.actions        [1024]: NOTICE  [sshd] Ban 222.186.30.112
2020-06-02 14:51:28,964 fail2ban.filter         [1024]: INFO    [recidive] Found 222.186.30.112
2020-06-02 14:55:37,442 fail2ban.actions        [1024]: NOTICE  [sshd] Unban 222.186.180.130
2020-06-02 14:56:39,148 fail2ban.filter         [1024]: INFO    [sshd] Found 222.186.180.142
2020-06-02 14:56:39,149 fail2ban.filter         [1024]: INFO    [pam-generic] Found 222.186.180.142
2020-06-02 14:56:40,951 fail2ban.filter         [1024]: INFO    [sshd] Found 222.186.180.142
2020-06-02 14:56:43,006 fail2ban.filter         [1024]: INFO    [sshd] Found 222.186.180.142
2020-06-02 14:56:45,671 fail2ban.filter         [1024]: INFO    [sshd] Found 222.186.180.142
2020-06-02 14:56:50,706 fail2ban.filter         [1024]: INFO    [sshd] Found 222.186.180.142
2020-06-02 14:56:50,707 fail2ban.filter         [1024]: INFO    [pam-generic] Found 222.186.180.142
2020-06-02 14:56:52,352 fail2ban.filter         [1024]: INFO    [sshd] Found 222.186.180.142
2020-06-02 14:56:54,151 fail2ban.filter         [1024]: INFO    [sshd] Found 222.186.180.142
2020-06-02 14:56:56,225 fail2ban.filter         [1024]: INFO    [sshd] Found 222.186.180.142
2020-06-02 14:56:58,638 fail2ban.filter         [1024]: INFO    [sshd] Found 222.186.180.142
2020-06-02 14:56:58,638 fail2ban.filter         [1024]: INFO    [pam-generic] Found 222.186.180.142
2020-06-02 14:57:00,047 fail2ban.filter         [1024]: INFO    [sshd] Found 222.186.180.142
2020-06-02 14:57:00,755 fail2ban.actions        [1024]: NOTICE  [sshd] Ban 222.186.180.142
2020-06-02 14:57:00,763 fail2ban.filter         [1024]: INFO    [recidive] Found 222.186.180.142
2020-06-02 14:57:02,336 fail2ban.filter         [1024]: INFO    [sshd] Found 222.186.180.142
2020-06-02 15:01:29,284 fail2ban.actions        [1024]: NOTICE  [sshd] Unban 222.186.30.112
2020-06-02 15:07:00,866 fail2ban.actions        [1024]: NOTICE  [sshd] Unban 222.186.180.142
Jun  2 15:14:47 uno sshd[26259]: Failed password for root from 222.186.42.7 port 54499 ssh2
Jun  2 15:14:48 uno sshd[26259]: Failed password for root from 222.186.42.7 port 54499 ssh2
Jun  2 15:14:51 uno sshd[26259]: Failed password for root from 222.186.42.7 port 54499 ssh2

Jun  2 15:14:37 uno sshd[26256]: Failed password for root from 222.186.42.7 port 20666 ssh2
Jun  2 15:14:40 uno sshd[26256]: Failed password for root from 222.186.42.7 port 20666 ssh2
Jun  2 15:14:42 uno sshd[26256]: Failed password for root from 222.186.42.7 port 20666 ssh2
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     650
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 2
   |- Total banned:     58
   `- Banned IP list:   222.186.30.167 222.186.175.23

It’s kind of “expected” for any server exposed to the internet to be targeted by bots roaming and brute-forcing servers, and fail2ban already handle this using its autoban mechanism (and c.f. the recidive jail for recidivers who get banned for much longer) …

I doubt there are some magic solutions … you can be much more agressive like “ban all IP blocks from china and other countries that are know to be sources of attacks” but ultimately you may get unexpected side effect (e.g. legit visitors unable to access your server, or banning yourself forever, or …) and the security gain is low.

Alternatively you can change the SSH port (not forgetting to also propagate it on fail2ban’s conf)

But to know exactly what’s the right way to proceed, you elaborate what’s your concern exactly.

Hi @yuno ,

It’s in French but it’s not so much complicated to understand with some translate’s help.

I’ve tryed this solution based on Logwatch report for some IPs.
I’ve changed my ssh’s port for another one more exotic and propagated in fail2ban conf.
It’s quieter now :slight_smile:

Sorry for my dusty English :wink:
ppr

1 Like

Thanks for the reply.
Yes, its expected that bots will brute-force servers on the internet and fail2ban works on its own.
The main purpose of this post was mainly to learn how Yunohost handles blocking and if possible to configure fail2ban or other methods without breaking Yunohost .

Ultimately i would like to block all IP-addresses and only allow few static addresses that only i need access from. In my case the instance is not public so i don’t need the whole internet to have access to the server only few IP-addresses for my selfhosted needs.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.