change the ssh port
and use iptables rules.
terminal:
iptables -I INPUT -p tcp -s 80.80.80.80 --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -s 80.80.80.80 --dport smtp -j REJECT --reject-with tcp-reset
save the new rules:
iptables-save > /root/my.active.firewall.rules
you can cat /root/my.active.firewall.rules to check the rules
1 way:
create this line in crontab -e
@reboot sudo iptables-restore < /root/my.active.firewall.rules
use whois to check the range
and you can block like this using the inetnum
-A INPUT -s 80.80.80.1/255 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
if you need to restore the iptables use this
iptables-restore < /root/my.active.firewall.rules
2 way:
(you can use other method if you prefer, to save rules
add a entry in /etc/rc.local )
install logwatch, works great can be a good troubleshooting tool for all the system!
you will receive a email everyday and you can check the badguys:)
and you can add the new rules to the iptables
delete a line in iptables
iptables -vnL INPUT --line-numbers
you will see the list of IPs. And have a number on the left,use this number to delete, like this:
iptables -D INPUT 10
using IP for delete the rule:
iptables -D INPUT -s 80.80.80.80 -j DROP
add this lines to:
block ssh
only local ssh
sudo iptables -A INPUT -p tcp --dport 22 -j REJECT
sudo iptables -I INPUT -p tcp --dport XXXX -s 192.168.0.0/16 -j ACCEPT
Where is XXXX is your changed port of ssh
3 way:
(other method of saving rules,in case u hav no rules after a reboot)
sudo nano /etc/network/interfaces
iptables-restore < /root/my.active.firewall.rules
using @reboot firewall reload in the crontab this delete my rules
list the rules for th INPUT chain:
sudo iptables -L INPUT -v
save all the rules in txt file,because you can accidentally delete all the rules if you save and for some reason you havent restore the old rules,when using the command “iptables-restore” and “iptables-save”.
And check before if they exists using iptables -L -n
If you have them in the txt file, you can copy paste to terminal and no need to recreate all them again by hand.
i personal dont use fail2ban ,too much emails for my email box because i am a curious person and always doing “whois ip” all the days,and that stress me a little and grows my paranoid,but fail2ban works very well if you take a time learning and configuring.
i prefer the old way:)
you have to see what works with you!
hope it helps somebody!