Hello everyone,
My Logwatch report this moring is below. It appears that IP
218.145.54.195 has attempted to connect to my SSH daemon 500 times. I'm confused at how that can be as I added that IP several days ago to
the iptables
/sbin/iptables -I OC -s 218.145.54.195 -j DROP
and a /iptables -L OC shows that he's in there.
--------------------- pam_unix Begin ------------------------
vsftpd: Unknown Entries: check pass; user unknown: 2 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=198.92.120.65 : 1 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=81.112.95.146 : 1 Time(s)
sshd: Invalid Users: Unknown Account: 764 Time(s) Authentication Failures: unknown (sig214.gsig-net.qc.ca ): 227 Time(s) unknown (218.145.54.195 ): 500 Time(s) unknown (207.139.143.214 ): 1 Time(s) unknown (222.122.60.42 ): 36 Time(s)
---------------------- pam_unix End -------------------------
Any ideas why he'd be getting through the cracks?
Thanks, Kevin
the rule that blocks must be before than the rule that opens the SSH port for all.
And how Alexsander Dalloz said "service iptables save" to save the rule permanently (whether another application doesn't change that).
