[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: auth log full with

	Hi.

On Sun, Aug 14, 2022 at 04:07:03PM +0200, Matthias Böttcher wrote:
> how do I block these ip ranges?

The usual way.

iptables -I INPUT -s <offending_ip_block> -p tcp --dport 22 \
	-m conntrack --ctstate NEW -j DROP

or, if the source IP is an actual IPv6 (a rare thing in my experience):

ip6tables -I INPUT -s <offending_ip_block> -p tcp --dport 22 \
	-m conntrack --ctstate NEW -j DROP

Add your favorite way to persist these between host reboots, and you're
set.

> Which source can I use to determine the geo location of ip addresses?

whois, geoiplookup, even https://bgp.he.net .
Whatever works, basically.
Last one is my favorite as it shows all IP blocks assigned to AS.
Really helpful with spammer nests such as outlook.com (AS8075) or
DigitalOcean (AS14061).

> Is there a Debian packet?

For the first two - sure.
You'll need whois and geoip-bin. Installing iptables is assumed.

Reco
Reply to: