I got tired of repeated SSH attempts and honest for my home network, there's few countries that need to be logging into my system, so I'm using a combination of fail2ban and blocking by country.
I created this script to make my life easier and thought I would share it.
#!/bin/bash # Based on the below article # https://www.linode.com/community/questions/11143/top-tip-firewalld-and-ipset...
ipdeny_tmp_dir=$(mktemp -d -t blacklist-XXXXXXXXXX) pushd $ipdeny_tmp_dir curl -LO http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz tar xf all-zones.tar.gz
firewall-cmd --permanent --delete-ipset=blacklist firewall-cmd --permanent --new-ipset=blacklist --type=hash:net --option=family=inet --option=hashsize=4096 --option=maxelem=200000 firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=./cn.zone firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=./id.zone firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=./kn.zone firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=./ph.zone firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=./ru.zone
# Only need to do this part once #firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
firewall-cmd --reload
popd rm -rf $ipdeny_tmp_dir
Thanks, Richard
On 2020-04-05 21:36, Richard Shaw wrote:
I got tired of repeated SSH attempts and honest for my home network, there's few countries that need to be logging into my system, so I'm using a combination of fail2ban and blocking by country.
I live in Taiwan. While I get the most ssh attempts from China, no surprise there, the second most offending country is the USA.
Rather than doing something which needs updating, I decided to only allow public-key authentication on ssh connections.
Fun Fact: For the period Jan 31 to Apr 7 there were IPs from 116 unique countries attempting logins via ssh to my system. I run IPv6 as well and no attempts were made via those addresses.
Richard-
Consider using fail2ban, it will grok your logs, and block specific ip addresses based on previous failures.
Regards, -Jamie
On Tue, Apr 7, 2020 at 12:27 AM Ed Greshko ed.greshko@greshko.com wrote:
On 2020-04-05 21:36, Richard Shaw wrote:
I got tired of repeated SSH attempts and honest for my home network,
there's few countries that need to be logging into my system, so I'm using a combination of fail2ban and blocking by country.
I live in Taiwan. While I get the most ssh attempts from China, no surprise there, the second most offending country is the USA.
Rather than doing something which needs updating, I decided to only allow public-key authentication on ssh connections.
Fun Fact: For the period Jan 31 to Apr 7 there were IPs from 116 unique countries attempting logins via ssh to my system. I run IPv6 as well and no attempts were made via those addresses.
-- The key to getting good answers is to ask good questions. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On Wed, Apr 8, 2020 at 9:28 AM Jamie Fargen jamie@fargenable.com wrote:
Richard-
Consider using fail2ban, it will grok your logs, and block specific ip addresses based on previous failures.
Yes, if you note in the original post, I'm already using fail2ba, but in taking note of the most frequent offenders (by country) I'm choosing to block whole countries as they have no business trying to gain access to my personal network.
Why worry about IPs getting banned, and later unbanned, when they don't have any business trying to connect with me in the first place. :)
Thanks, Richard
-
Ed Greshko -
Jamie Fargen -
Richard Shaw