Box got slow and decided to vim /var/log/secure and saw a bunch of brute force methods trying to ssh with names starting from A-Z.
iptables was installed so I added the ip via:
iptables -I FORWARD -s [ip] -j DROP
iptables -I INPUT -s [ip] -j DROP
It seemed like it blocked his ip automatically. I did:
iptables -nvL|less
Which showed his IP being supposedly blocked:
Chain INPUT (policy ACCEPT 26G packets, 9985G bytes)
pkts bytes target prot opt in out source destination
23 1400 DROP all -- * * [HIS_IP] 0.0.0.0/0
26G 9985G PORTSEN all -- * * 0.0.0.0/0 0.0.0.0/0
Is this it? Do I need to use any command to actually save it? like service iptables save? Or is this automatically saved?
As a preventative measure, I'm going to follow a guide and add:
iptables -I INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
iptables -I INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP
Are these measures enough for the low to medium level attacks? Would appreciate any input.
You should rather use a tool like fail2ban which automatically responds to brute force attacks and manages the IP bans.
Try with denyhosts, it's in EPEL repository.