8:16 p.m.
Hi,
What's the purpose of the *INPUT_direct* custom-chain in the
filter/INPUT chain? Is this the recommended chain to use when inserting
custom rules via the --direct option? Is it sort of like, to keep
things organized?
Thanks,
Jorge
2:28 a.m.
On 01/22/2014 03:16 AM, Jorge Fábregas wrote:
What's the purpose of the *INPUT_direct* custom-chain in the
filter/INPUT chain? Is this the recommended chain to use when inserting
custom rules via the --direct option? Is it sort of like, to keep
things organized?
Only the allmighty creator ;) of the 'direct' stuff, i.e. Thomas
can answer this properly, but yes, I think that's the use-case.
--
Jiri
9:45 a.m.
On 01/22/2014 09:28 AM, Jiri Popelka wrote:
On 01/22/2014 03:16 AM, Jorge Fábregas wrote:
> What's the purpose of the *INPUT_direct* custom-chain in the
> filter/INPUT chain? Is this the recommended chain to use when inserting
> custom rules via the --direct option? Is it sort of like, to keep
> things organized?
Only the allmighty creator ;) of the 'direct' stuff, i.e. Thomas
can answer this properly, but yes, I think that's the use-case.
Yes, the _direct chains are used for direct rules, that are added to
netfilter built-in chains. You can also create own chains and use them
as a target in a _direct rule...
--
Jiri
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards,
Thomas
12:26 p.m.
On 01/22/2014 11:45 AM, Thomas Woerner wrote:
Yes, the _direct chains are used for direct rules, that are added to
netfilter built-in chains. You can also create own chains and use them
as a target in a _direct rule...
Thank you guys. I guess then that libvirt should use it since, as soon
as you start libvirt, you see all these rules thrown in for the INPUT
built-in, as opposed to be using INPUT_direct (they're using the direct
interface).
Cheers!
Jorge
1:19 p.m.
On 22.01.2014 19:26, Jorge Fábregas wrote:
On 01/22/2014 11:45 AM, Thomas Woerner wrote:
> Yes, the _direct chains are used for direct rules, that are added to
> netfilter built-in chains. You can also create own chains and use them
> as a target in a _direct rule...
Thank you guys. I guess then that libvirt should use it since, as soon
as you start libvirt, you see all these rules thrown in for the INPUT
built-in, as opposed to be using INPUT_direct (they're using the direct
interface).
Say whaaat? :)
https://fedoraproject.org/wiki/FirewallD#The_Daemon
"With the so called direct interface other services (like for example
libvirt) are able to add own rules using iptables arguments and parameters."
poma
5:05 p.m.
On 01/22/2014 03:19 PM, poma wrote:
Say whaaat? :)
https://fedoraproject.org/wiki/FirewallD#The_Daemon
"With the so called direct interface other services (like for example
libvirt) are able to add own rules using iptables arguments and parameters."
Hi poma,
Yes, I know they use the direct interface. What I meant was (now that I
know the purpose of the _direct chains), that they should place their
rules in the INPUT_direct & FORWARD_direct chains instead of throwing
them directly in the built-in chains. Better yet, use custom chains
like INPUT_libvirt, FORWARD_libvirt, etc. You see, there's an elegance
on how firewalld creates & uses the different custom-chains. Let's keep
it organized & manageable I think.
BTW, I know I'm not supposed to be looking under the hood (using
iptables -L) while using firewalld, but hey, I'm curious :)
--
Jorge
3:09 a.m.
On 01/23/2014 01:05 AM, Jorge Fábregas wrote:
On 01/22/2014 03:19 PM, poma wrote:
> Say whaaat? :)
> https://fedoraproject.org/wiki/FirewallD#The_Daemon
> "With the so called direct interface other services (like for example
> libvirt) are able to add own rules using iptables arguments and parameters."
Hi poma,
Yes, I know they use the direct interface. What I meant was (now that I
know the purpose of the _direct chains), that they should place their
rules in the INPUT_direct & FORWARD_direct chains instead of throwing
them directly in the built-in chains. Better yet, use custom chains
like INPUT_libvirt, FORWARD_libvirt, etc.
libvirt has been using iptables rules since long before the INPUT_direct
or FORWARD_direct chains existed (or the idea of firewalld had even
occurred) and there is a certain amount of momentum in code that
continues to work. (actually, libvirt was one of the projects that
lamented early on about the free-for-all in netfilter rule management,
and the need for a central authority, which eventually led to firewalld).
I agree that it would be a nice thing to do, though. And actually there
is a bug that has been open since, well, forever on libvirt that could
likely be fixed by putting libvirt's rules into not one custom chain,
but multiple custom chains.
One difficulty is that each time libvirtd is started, it deletes all of
its iptables rules and re-inserts them; it does this by using its
network config to reconstruct the rules that it thinks are already in
the kernel and making iptables commands (or firewalld commands) to
delete those rules. Once the change is made to put the rules in custom
chains, a newly started libvirtd won't know if the previous run was an
older version that put the rules on the built-in chains, or a newer
version that put the rules in custom chains; I suppose that could be
overcome either with a release note, or by attempting to delete rules in
both locations, at least for several releases.
You see, there's an elegance
on how firewalld creates & uses the different custom-chains. Let's keep
it organized & manageable I think.
5:14 a.m.
On 01/23/2014 12:05 AM, Jorge Fábregas wrote:
On 01/22/2014 03:19 PM, poma wrote:
> Say whaaat? :)
> https://fedoraproject.org/wiki/FirewallD#The_Daemon
> "With the so called direct interface other services (like for example
> libvirt) are able to add own rules using iptables arguments and parameters."
Hi poma,
Yes, I know they use the direct interface. What I meant was (now that I
know the purpose of the _direct chains), that they should place their
rules in the INPUT_direct & FORWARD_direct chains instead of throwing
them directly in the built-in chains. Better yet, use custom chains
like INPUT_libvirt, FORWARD_libvirt, etc. You see, there's an elegance
on how firewalld creates & uses the different custom-chains. Let's keep
it organized & manageable I think.
libvirt is using passthrough rules at the moment. These are not added to
the _direct chains.
But yes, it would be good to have special chains for libvirt to be able
to have some sepratation and to be able to identify easily where it
comes from.
BTW, I know I'm not supposed to be looking under the hood (using
iptables -L) while using firewalld, but hey, I'm curious :)
You can look at the rule set, sure. The use of "iptables -L" is safe and
you can use it without problems. But adding, editing or removing rules
is not a good idea while firewalld is active.
BTW: I suggest to use the "iptables-save" command. It is showing rules
for all tables and additionally in the iptables format. For IPv6 use
"ip6tables-save".
/tw
5:42 a.m.
Thank you Laine for your feedback. Glad to know you're also following
this list :)
Regards,
Jorge
5:42 a.m.
On 01/23/2014 07:14 AM, Thomas Woerner wrote:
libvirt is using passthrough rules at the moment. These are not added
to
the _direct chains.
Ok.
But yes, it would be good to have special chains for libvirt to be
able
to have some sepratation and to be able to identify easily where it
comes from.
Great :)
You can look at the rule set, sure. The use of "iptables
-L" is safe and
you can use it without problems. But adding, editing or removing rules
is not a good idea while firewalld is active.
BTW: I suggest to use the "iptables-save" command. It is showing rules
for all tables and additionally in the iptables format. For IPv6 use
"ip6tables-save".
Thanks for the tip! That's definitely much better than doing "iptables
-L" for each of the tables when I want to compare (diff) the before &
after of firewalld changes.
Thanks for the help Thomas.
Regards,
Jorge
8:10 a.m.
In August of last year, I was told on the list to use ipsets to add ips
to the drop list.
Seeing all the traffic on direct chain, should I be going this direction
now?
Regards,
John
8:24 a.m.
On 01/24/2014 03:10 PM, John Griffiths wrote:
In August of last year, I was told on the list to use ipsets to add
ips
to the drop list.
Seeing all the traffic on direct chain, should I be going this direction
now?
It is good to go in this direction for separation, but it is not a
requirement.
I will be having a look at network address sets (ipset) support in
firewalld again. I am also thinking about the possibility to support
externally generated ipsets.
Regards,
John
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards,
Thomas
8:32 a.m.
As with all new packages, firewalld is somewhat of a moving target.
iptables has been around and "comfortable" because of familiarity.
I, being somewhat long in the tooth, am a little resistant to change. :-D
Thanks for the work which much be tedious.
John
On 01/24/2014 09:24 AM, Thomas Woerner wrote:
On 01/24/2014 03:10 PM, John Griffiths wrote:
> In August of last year, I was told on the list to use ipsets to add ips
> to the drop list.
>
> Seeing all the traffic on direct chain, should I be going this direction
> now?
>
It is good to go in this direction for separation, but it is not a
requirement.
I will be having a look at network address sets (ipset) support in
firewalld again. I am also thinking about the possibility to support
externally generated ipsets.
> Regards,
> John
> _______________________________________________
> firewalld-users mailing list
> firewalld-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards,
Thomas
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
1:50 p.m.
Is there a HOWTO for using direct chain to add to the drop zone
dynamically? Or am I on the wrong track?
I want to dynamically add IPs to the firewall to drop. I run a script
that parses log files to find IPs that are abusing the system and drop
them. Currently I am stuck on Fedora 16 on the active server because of
familiarity with iptables. I really want to move to Fedora 20, but I
need to adapt my script to use firewalld before I do.
I'll be glad to read the documentation, but a hand up and a point in the
right direction would be appreciated.
Regards,
John
On 01/24/2014 09:24 AM, Thomas Woerner wrote:
On 01/24/2014 03:10 PM, John Griffiths wrote:
> In August of last year, I was told on the list to use ipsets to add ips
> to the drop list.
>
> Seeing all the traffic on direct chain, should I be going this direction
> now?
>
It is good to go in this direction for separation, but it is not a
requirement.
I will be having a look at network address sets (ipset) support in
firewalld again. I am also thinking about the possibility to support
externally generated ipsets.
> Regards,
> John
> _______________________________________________
> firewalld-users mailing list
> firewalld-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards,
Thomas
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
6:04 p.m.
On 01/24/2014 03:50 PM, John Griffiths wrote:
Is there a HOWTO for using direct chain to add to the drop zone
dynamically? Or am I on the wrong track?
Hi John,
I'm also learning firewalld so bear with me :)
As far as I understand, when you use the direct interface you don't
think about zones. You may explicitly request for a rule to be inserted
in one of the zones' subchains but I guess that's not the idea. For
example, If I use the direct interface and specify that I want my rule
to be placed in the INPUT chain...firewalld will place it under
INPUT_direct (as expected). Then, no matter what zones are active
(bound by interface or source) it will always traverse the INPUT_direct
subchain and process my rule. That's why I think of them, the direct
rules, to be outside of the scope of the regular zones.
I want to dynamically add IPs to the firewall to drop.
This is easy. Once you have the ip just execute:
firewall-cmd --zone=drop --add-source=YOUR_IP
You may run it as many times you want and it will keep adding that
source ip (or network) to the drop zone. This is independently of the
default zone for your interface. You can then confirmn the "active
zones" with:
firewall-cmd --get-active-zones
For me, binding a source to a zone (apart from binding an interface to
it) is one the of the BEST things of firewalld's rule-mgmt. I
discovered this about a week ago while reading the man page for
firewall-cmd (as there's no mention of this source-binding in the Wiki
or RHEL7 Guides). Prior to this, I was using rich rules. I couldn't
believe there was no way to specify a "source address" via the basic
commands and found it overkill to use rich-rules just for that. I was
hard-wired to think purely on the binding of interfaces to zones (like
many people). I guess this source binding needs more promotion :)
My kudos to the development team for coming up with this great idea!
Regards,
Jorge
6:26 a.m.
New subject: INPUT_direct chain vs DROP zone
On 01/24/2014 07:04 PM, Jorge Fábregas wrote:
On 01/24/2014 03:50 PM, John Griffiths wrote:
> Is there a HOWTO for using direct chain to add to the drop zone
> dynamically? Or am I on the wrong track?
Hi John,
I'm also learning firewalld so bear with me :)
As far as I understand, when you use the direct interface you don't
think about zones. You may explicitly request for a rule to be inserted
in one of the zones' subchains but I guess that's not the idea. For
example, If I use the direct interface and specify that I want my rule
to be placed in the INPUT chain...firewalld will place it under
INPUT_direct (as expected). Then, no matter what zones are active
(bound by interface or source) it will always traverse the INPUT_direct
subchain and process my rule. That's why I think of them, the direct
rules, to be outside of the scope of the regular zones.
> I want to dynamically add IPs to the firewall to drop.
This is easy. Once you have the ip just execute:
firewall-cmd --zone=drop --add-source=YOUR_IP
You may run it as many times you want and it will keep adding that
source ip (or network) to the drop zone. This is independently of the
default zone for your interface. You can then confirmn the "active
zones" with:
Hi Jorge,
I started with the command:
firewall-cmd --zone=drop --add-source=YOUR_IP
but the is a performance penalty paid in adding IPs that way. This is an
excerpt from the original response to my question.
You can bind IP addresses to the drop zone. But with lots of IP
addresses this will result in performance hit.
Therefore I would propose to use an ipset for this.
Create an ipset and add all ip addresses in it. Then add a permanent
direct rule to the firewall to DROP these. The performance hit should
be much lower (I have not tested it with that many entries, though).
I have over
8000 IPs that are currently dropped in iptables. Adding
8000+ IPs using that command takes a long time. That is why I was
pointed to ipsets.
I gave up at the time since firewalld seemed to evolving rapidly and
stuck with iptables. This is me coming back for another try.
So thanks for your reply, but I've been there and done that.
John
6:42 a.m.
New subject: firewalld general observations
I may be entirely wrong in my observation, so please correct me where I
am wrong.
I observe that firewalld is very flexible and powerful and will add and
delete IPs without having to restart. Zones may be switched on the fly.
The code is changing at a rapid pace. And, what seems to be a big one to
me, there are more than one way to do something.
Having more than one way to configure essentially the same operation
seems to me would add to the code complexity. Complexity often leads to
code maintenance issues. Not saying there are any. Complexity leads to
user confusion such as I am having now. Rapidly developing code causes
documentation lag; one reason this list is so valuable.
I am a developer professionally. If I am having issues understanding,
then how about someone who is strictly a user? Maybe no one else has the
issue of over 8000 IPs being dropped at the firewall, but I certainly do
and I am finding it hard to address with my understanding of firewalld.
Thanks to the developers for the hard work. Hope someone with first hand
knowledge of the development can set me straight.
Regards,
John
7:27 a.m.
New subject: firewalld general observations
On Saturday, January 25, 2014 07:42:48 AM John Griffiths wrote:
I may be entirely wrong in my observation, so please correct me where
I
am wrong.
I observe that firewalld is very flexible and powerful and will add and
delete IPs without having to restart. Zones may be switched on the fly.
The code is changing at a rapid pace. And, what seems to be a big one to
me, there are more than one way to do something.
Having more than one way to configure essentially the same operation
seems to me would add to the code complexity. Complexity often leads to
code maintenance issues. Not saying there are any. Complexity leads to
user confusion such as I am having now. Rapidly developing code causes
documentation lag; one reason this list is so valuable.
I am a developer professionally. If I am having issues understanding,
then how about someone who is strictly a user? Maybe no one else has the
issue of over 8000 IPs being dropped at the firewall, but I certainly do
and I am finding it hard to address with my understanding of firewalld.
Thanks to the developers for the hard work. Hope someone with first hand
knowledge of the development can set me straight.
John, I'm not sure if this may be of help to you, but I was also trying to get
firewalld to work nicely with ipset for the use of blacklisting. Here are
some examples that I use. (Lines are likely wrapped):
# /etc/firewalld/direct.xml:
<direct>
<!-- IPset Blacklisting -->
<chain ipv="ipv4" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
<chain ipv="ipv6" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
</direct>
The thing to remember with the above configuration is that you must add the
dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if
PREROUTING_blacklist doesn't yet exist.
I have also created a systemd ipset.service file that will reload previously
saved ipset rules on boot and save them on shutdown:
#/etc/systemd/system/ipset.service
[Unit]
Description=ipset - IP set restore & save
Documentation=man:ipset(8)
Before=network.target firewalld.service iptables.service ip6tables.service
ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service]
Type=oneshot
ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore
ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save
RemainAfterExit=yes
StandardOutput=journal+console
UMask=0177
[Install]
WantedBy=basic.target
The way I did this was to create a minimal ipset configuration and execute
'/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are
stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
My initial ipset.save without any ip addresses added looks like:
create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536
create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536
create blacklist list:set size 8
add blacklist blacklist_ipv4
add blacklist blacklist_ipv6
Then do 'systemctl enable ipset && systemctl start ipset'
Together, the additions to the direct.xml configuration and the ipset.service
have allowed me to add or remove ip addresses from the blacklist without the
worry of what happens upon restart, etc.
-A
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
1:50 p.m.
New subject: firewalld general observations
Thanks Anthony.
On 01/25/2014 08:27 AM, Anthony Messina wrote:
John, I'm not sure if this may be of help to you, but I was also trying to get
firewalld to work nicely with ipset for the use of blacklisting. Here are
some examples that I use. (Lines are likely wrapped):
# /etc/firewalld/direct.xml:
<direct>
<!-- IPset Blacklisting -->
<chain ipv="ipv4" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
<chain ipv="ipv6" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
</direct>
The thing to remember with the above configuration is that you must add the
dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if
PREROUTING_blacklist doesn't yet exist.
I have also created a systemd ipset.service file that will reload previously
saved ipset rules on boot and save them on shutdown:
#/etc/systemd/system/ipset.service
[Unit]
Description=ipset - IP set restore & save
Documentation=man:ipset(8)
Before=network.target firewalld.service iptables.service ip6tables.service
ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service]
Type=oneshot
ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore
ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save
RemainAfterExit=yes
StandardOutput=journal+console
UMask=0177
[Install]
WantedBy=basic.target
The way I did this was to create a minimal ipset configuration and execute
'/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are
stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
My initial ipset.save without any ip addresses added looks like:
create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536
create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536
create blacklist list:set size 8
add blacklist blacklist_ipv4
add blacklist blacklist_ipv6
Then do 'systemctl enable ipset && systemctl start ipset'
Together, the additions to the direct.xml configuration and the ipset.service
have allowed me to add or remove ip addresses from the blacklist without the
worry of what happens upon restart, etc.
-A
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
6:51 a.m.
On 01/24/2014 08:50 PM, John Griffiths wrote:
Is there a HOWTO for using direct chain to add to the drop zone
dynamically? Or am I on the wrong track?
We do not have support for direct chains/rules within zones right now.
You can use the direct interface to add rules also to zones. It is not
forbidden, but you have to take care that you are not damaging other
rules by doing so.
I want to dynamically add IPs to the firewall to drop. I run a
script
that parses log files to find IPs that are abusing the system and drop
them. Currently I am stuck on Fedora 16 on the active server because of
familiarity with iptables. I really want to move to Fedora 20, but I
need to adapt my script to use firewalld before I do.
I'll be glad to read the documentation, but a hand up and a point in the
right direction would be appreciated.
Regards,
John
On 01/24/2014 09:24 AM, Thomas Woerner wrote:
> On 01/24/2014 03:10 PM, John Griffiths wrote:
>> In August of last year, I was told on the list to use ipsets to add ips
>> to the drop list.
>>
>> Seeing all the traffic on direct chain, should I be going this direction
>> now?
>>
> It is good to go in this direction for separation, but it is not a
> requirement.
>
> I will be having a look at network address sets (ipset) support in
> firewalld again. I am also thinking about the possibility to support
> externally generated ipsets.
>
>> Regards,
>> John
>> _______________________________________________
>> firewalld-users mailing list
>> firewalld-users(a)lists.fedorahosted.org
>> https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
> Regards,
> Thomas
> _______________________________________________
> firewalld-users mailing list
> firewalld-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards,
Thomas
9:18 a.m.
New subject: firewalld general observations
I am not sure what is going on with my configuration of firewalld using
ipsets. I think something must be wrong.
I have a cronjob that checks the log files and adds IPs to the ipset for
those that are trying to log in to ssh that should not or abusing other
services. I notices that there are still a lot of bad logins to root. So
I checked the IP that was shown in the login against the ipset, when it
was added to the ipset (I have my own log for that.) and when the IP
last tried to connect using ssh. The IP, 61.174.51.194, is in the ipset.
# ipset test blacklist_ipv4_current 61.174.51.194
61.174.51.194 is in set blacklist_ipv4_current.
The IP was added to blacklist_ipv4_current Wed Jul 16 09:00:02 EDT 2014.
But when I check /var/log/security, the IP attempted 152 logins after
being added to the blacklist set.
Jul 16 09:00:03 joe sshd[9778]: Failed password for root from
61.174.51.194 port 16973 ssh2
Jul 16 09:00:03 joe sshd[9778]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:03 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:06 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:09 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:10 joe sshd[10148]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:10 joe sshd[10148]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:00:12 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:12 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:15 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:16 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:16 joe sshd[9800]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:17 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:19 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:23 joe sshd[10157]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:23 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:23 joe sshd[10157]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:00:25 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:25 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:25 joe sshd[10148]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:28 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:33 joe sshd[10165]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:33 joe sshd[10165]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:00:34 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:35 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:36 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:37 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:38 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:39 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:40 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:40 joe sshd[10157]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:43 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:45 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:48 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:48 joe sshd[10165]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:50 joe sshd[10179]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:51 joe sshd[10179]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:00:52 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:00:53 joe sshd[10183]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:54 joe sshd[10183]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:00:55 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:00:55 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:00:57 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:00:58 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:00 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:02 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:01:03 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:06 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:08 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:08 joe sshd[10183]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:12 joe sshd[10227]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:12 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:01:12 joe sshd[10227]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:01:14 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:14 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:01:14 joe sshd[10179]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:17 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:19 joe sshd[10234]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:19 joe sshd[10234]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:01:19 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:22 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:22 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:24 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:24 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:27 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:27 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:27 joe sshd[10227]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:29 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:32 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:34 joe sshd[10246]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:34 joe sshd[10246]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:01:35 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:35 joe sshd[10234]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:36 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:39 joe sshd[10252]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:39 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:41 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:43 joe sshd[10252]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:01:44 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:45 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:48 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:48 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:50 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:50 joe sshd[10246]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:52 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:54 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:54 joe sshd[10266]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:55 joe sshd[10266]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:01:57 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:57 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:01:59 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:59 joe sshd[10252]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:00 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:03 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:03 joe sshd[10275]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:04 joe sshd[10275]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:02:05 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:06 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:08 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:11 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:13 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:15 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:16 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:16 joe sshd[10266]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:18 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:21 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:21 joe sshd[10275]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:23 joe sshd[10504]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:23 joe sshd[10504]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:02:25 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:27 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:28 joe sshd[10509]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:28 joe sshd[10509]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:02:30 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:31 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:33 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:33 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:35 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:36 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:39 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:39 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:39 joe sshd[10504]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:41 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:43 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:43 joe sshd[10509]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:43 joe sshd[10525]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:44 joe sshd[10525]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:02:46 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:47 joe sshd[10529]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:48 joe sshd[10529]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:02:49 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:50 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:02:51 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:53 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:02:54 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:55 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:02:57 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:58 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:02:59 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:59 joe sshd[10525]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:03:00 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:03:03 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:03:03 joe sshd[10529]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:03:05 joe sshd[10545]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:03:06 joe sshd[10545]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:03:08 joe sshd[10550]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:03:09 joe sshd[10545]: Failed password for root from
61.174.51.194 port 6642 ssh2
Jul 16 09:03:09 joe sshd[10550]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194
user=root
Jul 16 09:03:11 joe sshd[10550]: Failed password for root from
61.174.51.194 port 7538 ssh2
Jul 16 09:03:11 joe sshd[10545]: Failed password for root from
61.174.51.194 port 6642 ssh2
Jul 16 09:03:11 joe sshd[10545]: PAM 1 more authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
My ipset ellipsized is:
Name: blacklist_ipv4_permanent
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 126760
References: 1
Members:
200.74.162.237
96.237.146.189
190.21.141.207
201.116.227.194
...
77.234.3.95
218.63.121.5
203.184.192.216
70.115.3.109
74.55.63.194
221.5.86.42
122.25.33.18
190.95.242.142
85.250.14.160
Name: blacklist_ipv4_semipermanent
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 67304
References: 1
Members:
123.30.182.178
50.195.85.69
116.10.191.213
61.174.51.200
79.191.202.21
61.174.51.211
46.130.133.139
...
116.10.191.174
23.81.27.114
61.174.51.230
61.174.51.233
188.165.212.171
103.9.91.6
Name: blacklist_ipv4_current
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 66152
References: 1
Members:
61.174.51.213
85.25.242.234
85.25.150.52
61.233.233.124
211.234.100.203
221.179.191.36
85.25.139.52
221.179.89.90
61.233.76.135
116.10.191.208
61.174.51.194
61.174.51.197
94.156.77.46
85.25.129.28
37.157.187.125
116.10.191.203
85.25.176.135
54.237.87.185
85.25.176.103
61.234.146.22
198.211.30.115
200.30.85.115
59.63.167.174
61.19.247.71
85.25.139.28
183.129.228.45
116.10.191.195
85.25.99.108
216.146.33.22
85.25.144.37
216.146.33.50
Name: blacklist_ipv6_permanent
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65656
References: 1
Members:
Name: blacklist_ipv6_semipermanent
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65656
References: 1
Members:
Name: blacklist_ipv6_current
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65656
References: 1
Members:
Name: blacklist
Type: list:set
Revision: 2
Header: size 8
Size in memory: 112
References: 0
Members:
blacklist_ipv4_permanent
blacklist_ipv4_semipermanent
blacklist_ipv4_current
blacklist_ipv6_permanent
blacklist_ipv6_semipermanent
blacklist_ipv6_current
There are a total of 8616 IPs in blacklist_ipv4_permanent,
blacklist_ipv4_semipermanent, and blacklist_ipv4_current. No addresses
in any ipv6 set yet.
My /etc/firewalld/direct.xml file is a symbolic link to
../../root/ipFilter/lib/direct.xml and the selinux context is:
# l -Z direct.xml ../../root/ipFilter/lib/direct.xml
lrwxrwxrwx. root root unconfined_u:object_r:firewalld_etc_rw_t:s0
direct.xml -> ../../root/ipFilter/lib/direct.xml
-rw-r-----. root root unconfined_u:object_r:firewalld_etc_rw_t:s0
../../root/ipFilter/lib/direct.xml
The /etc/firewalld/direct.xml is:
# /etc/firewalld/direct.xml:
<direct>
<!-- IPset Blacklisting -->
<chain ipv="ipv4" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit
--limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level
6</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set
blacklist src -j PREROUTING_blacklist</passthrough>
<chain ipv="ipv6" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit
--limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level
6</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set
blacklist src -j PREROUTING_blacklist</passthrough>
</direct>
When I open firewall-config, there is nothing under the Direct tab.
I am using firewalld-0.3.10-1.fc20.noarch.
I sure would appreciate some guidance to what may be wrong.
John
On 01/25/2014 08:27 AM, Anthony Messina wrote:
On Saturday, January 25, 2014 07:42:48 AM John Griffiths wrote:
> I may be entirely wrong in my observation, so please correct me where I
> am wrong.
>
> I observe that firewalld is very flexible and powerful and will add and
> delete IPs without having to restart. Zones may be switched on the fly.
> The code is changing at a rapid pace. And, what seems to be a big one to
> me, there are more than one way to do something.
>
> Having more than one way to configure essentially the same operation
> seems to me would add to the code complexity. Complexity often leads to
> code maintenance issues. Not saying there are any. Complexity leads to
> user confusion such as I am having now. Rapidly developing code causes
> documentation lag; one reason this list is so valuable.
>
> I am a developer professionally. If I am having issues understanding,
> then how about someone who is strictly a user? Maybe no one else has the
> issue of over 8000 IPs being dropped at the firewall, but I certainly do
> and I am finding it hard to address with my understanding of firewalld.
>
> Thanks to the developers for the hard work. Hope someone with first hand
> knowledge of the development can set me straight.
John, I'm not sure if this may be of help to you, but I was also trying to get
firewalld to work nicely with ipset for the use of blacklisting. Here are
some examples that I use. (Lines are likely wrapped):
# /etc/firewalld/direct.xml:
<direct>
<!-- IPset Blacklisting -->
<chain ipv="ipv4" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
<chain ipv="ipv6" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
</direct>
The thing to remember with the above configuration is that you must add the
dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if
PREROUTING_blacklist doesn't yet exist.
I have also created a systemd ipset.service file that will reload previously
saved ipset rules on boot and save them on shutdown:
#/etc/systemd/system/ipset.service
[Unit]
Description=ipset - IP set restore & save
Documentation=man:ipset(8)
Before=network.target firewalld.service iptables.service ip6tables.service
ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service]
Type=oneshot
ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore
ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save
RemainAfterExit=yes
StandardOutput=journal+console
UMask=0177
[Install]
WantedBy=basic.target
The way I did this was to create a minimal ipset configuration and execute
'/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are
stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
My initial ipset.save without any ip addresses added looks like:
create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536
create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536
create blacklist list:set size 8
add blacklist blacklist_ipv4
add blacklist blacklist_ipv6
Then do 'systemctl enable ipset && systemctl start ipset'
Together, the additions to the direct.xml configuration and the ipset.service
have allowed me to add or remove ip addresses from the blacklist without the
worry of what happens upon restart, etc.
-A
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
10:33 a.m.
New subject: firewalld general observations
Why are you sending your Firewalld Problems, to my personal email? I dont'
have any thing to do with Firewalld. I,am a user of it, like you are,I
don't work at Firewalld this is my personal gmail email account I,am in no
way associated with Firewalld, and I do not answer tech question's for
them? so do not email me with your Problems.You need to send them to
Firewalld's address at (firewalld-users(a)list.fedoahosted.org) If your
sending these request's becauase I have joined the list please remove me
since this is an Annoyance to me I dont want tech questions in my personal
email's. Thank you, Randy Fitzgerald.
On Wed, Jul 16, 2014 at 7:18 AM, John Griffiths <fedora.jrg01(a)grifent.com>
wrote:
I am not sure what is going on with my configuration of firewalld
using
ipsets. I think something must be wrong.
I have a cronjob that checks the log files and adds IPs to the ipset for
those that are trying to log in to ssh that should not or abusing other
services. I notices that there are still a lot of bad logins to root. So I
checked the IP that was shown in the login against the ipset, when it was
added to the ipset (I have my own log for that.) and when the IP last tried
to connect using ssh. The IP, 61.174.51.194, is in the ipset.
# ipset test blacklist_ipv4_current 61.174.51.194
61.174.51.194 is in set blacklist_ipv4_current.
The IP was added to blacklist_ipv4_current Wed Jul 16 09:00:02 EDT 2014.
But when I check /var/log/security, the IP attempted 152 logins after
being added to the blacklist set.
Jul 16 09:00:03 joe sshd[9778]: Failed password for root from
61.174.51.194 port 16973 ssh2
Jul 16 09:00:03 joe sshd[9778]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:03 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:06 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:09 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:10 joe sshd[10148]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:10 joe sshd[10148]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:12 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:12 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:15 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:16 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:16 joe sshd[9800]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:17 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:19 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:23 joe sshd[10157]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:23 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:23 joe sshd[10157]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:25 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:25 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:25 joe sshd[10148]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:28 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:33 joe sshd[10165]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:33 joe sshd[10165]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:34 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:35 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:36 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:37 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:38 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:39 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:40 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:40 joe sshd[10157]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:43 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:45 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:48 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:48 joe sshd[10165]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:50 joe sshd[10179]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:51 joe sshd[10179]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:52 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:00:53 joe sshd[10183]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:54 joe sshd[10183]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:00:55 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:00:55 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:00:57 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:00:58 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:00 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:02 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:01:03 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:06 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:08 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:08 joe sshd[10183]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:12 joe sshd[10227]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:12 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:01:12 joe sshd[10227]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:14 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:14 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:01:14 joe sshd[10179]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:17 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:19 joe sshd[10234]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:19 joe sshd[10234]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:19 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:22 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:22 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:24 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:24 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:27 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:27 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:27 joe sshd[10227]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:29 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:32 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:34 joe sshd[10246]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:34 joe sshd[10246]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:35 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:35 joe sshd[10234]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:36 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:39 joe sshd[10252]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:39 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:41 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:43 joe sshd[10252]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:44 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:45 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:48 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:48 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:50 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:50 joe sshd[10246]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:52 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:54 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:54 joe sshd[10266]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:55 joe sshd[10266]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:01:57 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:57 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:01:59 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:59 joe sshd[10252]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:00 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:03 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:03 joe sshd[10275]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:04 joe sshd[10275]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:05 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:06 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:08 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:11 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:13 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:15 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:16 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:16 joe sshd[10266]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:18 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:21 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:21 joe sshd[10275]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:23 joe sshd[10504]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:23 joe sshd[10504]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:25 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:27 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:28 joe sshd[10509]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:28 joe sshd[10509]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:30 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:31 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:33 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:33 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:35 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:36 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:39 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:39 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:39 joe sshd[10504]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:41 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:43 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:43 joe sshd[10509]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:43 joe sshd[10525]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:44 joe sshd[10525]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:46 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:47 joe sshd[10529]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:48 joe sshd[10529]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:02:49 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:50 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:02:51 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:53 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:02:54 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:55 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:02:57 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:58 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:02:59 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:59 joe sshd[10525]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:03:00 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:03:03 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:03:03 joe sshd[10529]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:03:05 joe sshd[10545]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:03:06 joe sshd[10545]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:03:08 joe sshd[10550]: reverse mapping checking getaddrinfo for
194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed -
POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:03:09 joe sshd[10545]: Failed password for root from
61.174.51.194 port 6642 ssh2
Jul 16 09:03:09 joe sshd[10550]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
Jul 16 09:03:11 joe sshd[10550]: Failed password for root from
61.174.51.194 port 7538 ssh2
Jul 16 09:03:11 joe sshd[10545]: Failed password for root from
61.174.51.194 port 6642 ssh2
Jul 16 09:03:11 joe sshd[10545]: PAM 1 more authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
My ipset ellipsized is:
Name: blacklist_ipv4_permanent
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 126760
References: 1
Members:
200.74.162.237
96.237.146.189
190.21.141.207
201.116.227.194
...
77.234.3.95
218.63.121.5
203.184.192.216
70.115.3.109
74.55.63.194
221.5.86.42
122.25.33.18
190.95.242.142
85.250.14.160
Name: blacklist_ipv4_semipermanent
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 67304
References: 1
Members:
123.30.182.178
50.195.85.69
116.10.191.213
61.174.51.200
79.191.202.21
61.174.51.211
46.130.133.139
...
116.10.191.174
23.81.27.114
61.174.51.230
61.174.51.233
188.165.212.171
103.9.91.6
Name: blacklist_ipv4_current
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 66152
References: 1
Members:
61.174.51.213
85.25.242.234
85.25.150.52
61.233.233.124
211.234.100.203
221.179.191.36
85.25.139.52
221.179.89.90
61.233.76.135
116.10.191.208
61.174.51.194
61.174.51.197
94.156.77.46
85.25.129.28
37.157.187.125
116.10.191.203
85.25.176.135
54.237.87.185
85.25.176.103
61.234.146.22
198.211.30.115
200.30.85.115
59.63.167.174
61.19.247.71
85.25.139.28
183.129.228.45
116.10.191.195
85.25.99.108
216.146.33.22
85.25.144.37
216.146.33.50
Name: blacklist_ipv6_permanent
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65656
References: 1
Members:
Name: blacklist_ipv6_semipermanent
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65656
References: 1
Members:
Name: blacklist_ipv6_current
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65656
References: 1
Members:
Name: blacklist
Type: list:set
Revision: 2
Header: size 8
Size in memory: 112
References: 0
Members:
blacklist_ipv4_permanent
blacklist_ipv4_semipermanent
blacklist_ipv4_current
blacklist_ipv6_permanent
blacklist_ipv6_semipermanent
blacklist_ipv6_current
There are a total of 8616 IPs in blacklist_ipv4_permanent,
blacklist_ipv4_semipermanent, and blacklist_ipv4_current. No addresses in
any ipv6 set yet.
My /etc/firewalld/direct.xml file is a symbolic link to
../../root/ipFilter/lib/direct.xml and the selinux context is:
# l -Z direct.xml ../../root/ipFilter/lib/direct.xml
lrwxrwxrwx. root root unconfined_u:object_r:firewalld_etc_rw_t:s0
direct.xml -> ../../root/ipFilter/lib/direct.xml
-rw-r-----. root root unconfined_u:object_r:firewalld_etc_rw_t:s0
../../root/ipFilter/lib/direct.xml
The /etc/firewalld/direct.xml is:
# /etc/firewalld/direct.xml:
<direct>
<!-- IPset Blacklisting -->
<chain ipv="ipv4" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set
blacklist src -j PREROUTING_blacklist</passthrough>
<chain ipv="ipv6" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set
blacklist src -j PREROUTING_blacklist</passthrough>
</direct>
When I open firewall-config, there is nothing under the Direct tab.
I am using firewalld-0.3.10-1.fc20.noarch.
I sure would appreciate some guidance to what may be wrong.
John
On 01/25/2014 08:27 AM, Anthony Messina wrote:
On Saturday, January 25, 2014 07:42:48 AM John Griffiths wrote:
I may be entirely wrong in my observation, so please correct me where I
am wrong.
I observe that firewalld is very flexible and powerful and will add and
delete IPs without having to restart. Zones may be switched on the fly.
The code is changing at a rapid pace. And, what seems to be a big one to
me, there are more than one way to do something.
Having more than one way to configure essentially the same operation
seems to me would add to the code complexity. Complexity often leads to
code maintenance issues. Not saying there are any. Complexity leads to
user confusion such as I am having now. Rapidly developing code causes
documentation lag; one reason this list is so valuable.
I am a developer professionally. If I am having issues understanding,
then how about someone who is strictly a user? Maybe no one else has the
issue of over 8000 IPs being dropped at the firewall, but I certainly do
and I am finding it hard to address with my understanding of firewalld.
Thanks to the developers for the hard work. Hope someone with first hand
knowledge of the development can set me straight.
John, I'm not sure if this may be of help to you, but I was also trying to get
firewalld to work nicely with ipset for the use of blacklisting. Here are
some examples that I use. (Lines are likely wrapped):
# /etc/firewalld/direct.xml:
<direct>
<!-- IPset Blacklisting -->
<chain ipv="ipv4" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
<chain ipv="ipv6" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
</direct>
The thing to remember with the above configuration is that you must add the
dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if
PREROUTING_blacklist doesn't yet exist.
I have also created a systemd ipset.service file that will reload previously
saved ipset rules on boot and save them on shutdown:
#/etc/systemd/system/ipset.service
[Unit]
Description=ipset - IP set restore & save
Documentation=man:ipset(8)
Before=network.target firewalld.service iptables.service ip6tables.service
ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service]
Type=oneshot
ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore
ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save
RemainAfterExit=yes
StandardOutput=journal+console
UMask=0177
[Install]
WantedBy=basic.target
The way I did this was to create a minimal ipset configuration and execute
'/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are
stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
My initial ipset.save without any ip addresses added looks like:
create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536
create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536
create blacklist list:set size 8
add blacklist blacklist_ipv4
add blacklist blacklist_ipv6
Then do 'systemctl enable ipset && systemctl start ipset'
Together, the additions to the direct.xml configuration and the ipset.service
have allowed me to add or remove ip addresses from the blacklist without the
worry of what happens upon restart, etc.
-A
_______________________________________________
firewalld-users mailing
listfirewalld-users@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/firewalld-users
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
noon
New subject: firewalld and ipset - was firewalld general observations
Jiri,
There is no /var/log/firewalld file.
This is my config file:
# firewalld config file
# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=home
# Minimal mark
# Marks up to this minimum are free for use for example in the direct
# interface. If more free marks are needed, increase the minimum
# Default: 100
MinimalMark=100
# Clean up on exit
# If set to no or false the firewall configuration will not get
cleaned up
# on exit or stop of firewalld
# Default: yes
CleanupOnExit=yes
# Lockdown
# If set to enabled, firewall changes with the D-Bus interface will
be limited
# to applications that are listed in the lockdown whitelist.
# The lockdown whitelist file is lockdown-whitelist.xml
# Default: no
Lockdown=no
# IPv6_rpfilter
# Performs a reverse path filter test on a packet for IPv6. If a
reply to the
# packet would be sent via the same interface that the packet
arrived on, the
# packet will match and be accepted, otherwise dropped.
# The rp_filter for IPv4 is controlled using sysctl.
# Default: yes
IPv6_rpfilter=yes
Thanks,
John
On 07/16/2014 12:56 PM, Jiri Popelka wrote:
On 07/16/2014 04:18 PM, John Griffiths wrote:
> When I open firewall-config, there is nothing under the Direct tab.
Can you check /var/log/firewalld for any WARNINGs/ERRORs ?
--
Jiri
12:11 p.m.
New subject: firewalld and ipset - was firewalld general observations
On 07/16/2014 07:00 PM, John Griffiths wrote:
There is no /var/log/firewalld file.
And if you add 'FIREWALLD_ARGS=--debug' into /etc/sysconfig/firewalld
and restart/reload firewalld ?
Are there any WARNINGs/ERRORs ? (I don't need to see the DEBUGs).
--
Jiri
12:46 p.m.
New subject: firewalld and ipset - was firewalld general observations
Hello John,
Once you have this working, would you mind posting your config/scripts
for others to benefit from? I'd like to use ipsets as well but haven't
had a chance to look deeply into them. Your setup sounds like it would
be a great start.
--
Nathanael
1:08 p.m.
New subject: firewalld and ipset - was firewalld general observations
I see:
2014-07-16 13:25:23 DEBUG1: Failed to load direct rules file
'/etc/firewalld/direct.xml': /etc/firewalld/direct.xml:1:1: not
well-formed (invalid token)
so the file was invalid.
I checked the file. The first line was an improperly formed comment:
# /etc/firewalld/direct.xml:
I changed that line to:
<!-- /etc/firewalld/direct.xml -->
and the direct file loaded. The direct rules now show in firewall-config.
Thanks!
John
On 07/16/2014 01:11 PM, Jiri Popelka wrote:
On 07/16/2014 07:00 PM, John Griffiths wrote:
> There is no /var/log/firewalld file.
And if you add 'FIREWALLD_ARGS=--debug' into /etc/sysconfig/firewalld
and restart/reload firewalld ?
Are there any WARNINGs/ERRORs ? (I don't need to see the DEBUGs).
--
Jiri
2:03 p.m.
New subject: firewalld and ipset - was firewalld general observations
I cannot take credit.
My thanks to Anthony, Thomas, and Jiri on this list for their help.
I just worked out the kinks for my particular use.
Here are what I use:
/etc/firewalld/direct.xml (from Anthony)
<!-- /etc/firewalld/direct.xml -->
<direct>
<!-- IPset Blacklisting -->
<chain ipv="ipv4" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m
limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP:
--log-level 6</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING -m set
--match-set blacklist src -j PREROUTING_blacklist</passthrough>
<chain ipv="ipv6" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m
limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP:
--log-level 6</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING -m set
--match-set blacklist src -j PREROUTING_blacklist</passthrough>
</direct>
/etc/systemd/system/ipset.service (from Anthony)
Description=ipset - IP set restore & save
Documentation=man:ipset(8)
Before=network.target firewalld.service iptables.service
ip6tables.service
ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service]
Type=oneshot
ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save
restore
ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save
RemainAfterExit=yes
StandardOutput=journal+console
UMask=0177
[Install]
WantedBy=basic.target
This is from the email from Anthony:
The way I did this was to create a minimal ipset configuration and execute
'/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules
are
stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
My initial ipset.save without any ip addresses added looks like:
create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536
create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536
create blacklist list:set size 8
add blacklist blacklist_ipv4
add blacklist blacklist_ipv6
Then do 'systemctl enable ipset && systemctl start ipset'
Together, the additions to the direct.xml configuration and the ipset.service
have allowed me to add or remove ip addresses from the blacklist without the
worry of what happens upon restart, etc.
My own ipset save file is a bit more complex:
create blacklist_ipv4_permanent hash:ip family inet hashsize 4096
maxelem 65536
create blacklist_ipv4_semipermanent hash:ip family inet hashsize
4096 maxelem 65536
create blacklist_ipv4_current hash:ip family inet hashsize 4096
maxelem 65536
create blacklist_ipv6_permanent hash:ip family inet6 hashsize 4096
maxelem 65536
create blacklist_ipv6_semipermanent hash:ip family inet6 hashsize
4096 maxelem 65536
create blacklist_ipv6_current hash:ip family inet6 hashsize 4096
maxelem 65536
create blacklist list:set size 8
add blacklist blacklist_ipv4_permanent
add blacklist blacklist_ipv4_semipermanent
add blacklist blacklist_ipv4_current
add blacklist blacklist_ipv6_permanent
add blacklist blacklist_ipv6_semipermanent
add blacklist blacklist_ipv6_current
It is up to you how you want to add IPs to the ipsets.
I have another script that runs periodically to parse various log files
to determine IPs to blacklist and add them to blacklist_ipv4_current.
Once a day, the script reads IPs that are in the current list and which
have been in historical lists of 'current' IPs and adds them to
semipermanent or discards them if not. Does the same for historical
semipermanent and adds them to permanent. It keeps the firewall up to
date with 'bad guys.' That script is pretty complex and I'd rather not
post it. I am not working with IPv6 to any extent yet.
I currently have 8616 IPs in my blacklist.
Nathanael, Hope this helps you and others.
John
On 07/16/2014 01:46 PM, Nathanael d. Noblet wrote:
Hello John,
Once you have this working, would you mind posting your config/scripts
for others to benefit from? I'd like to use ipsets as well but haven't
had a chance to look deeply into them. Your setup sounds like it would
be a great start.
4:14 a.m.
New subject: firewalld general observations
On 07/16/2014 05:33 PM, Randy Fitzgerald wrote:
Why are you sending your Firewalld Problems, to my personal email?
I
dont' have any thing to do with Firewalld. I,am a user of it, like you
are,I don't work at Firewalld this is my personal gmail email account
I,am in no way associated with Firewalld, and I do not answer tech
question's for them? so do not email me with your Problems.You need to
send them to Firewalld's address at
(firewalld-users(a)list.fedoahosted.org
<mailto:firewalld-users@list.fedoahosted.org>) If your sending these
request's becauase I have joined the list please remove me since this is
an Annoyance to me I dont want tech questions in my personal email's.
Thank you, Randy Fitzgerald.
There is a link in the footer on each email on this list.
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Within this page you can change your settings for the list. There is
also a button to unsubscribe.
On Wed, Jul 16, 2014 at 7:18 AM, John Griffiths
<fedora.jrg01(a)grifent.com <mailto:fedora.jrg01@grifent.com>> wrote:
I am not sure what is going on with my configuration of firewalld
using ipsets. I think something must be wrong.
I have a cronjob that checks the log files and adds IPs to the ipset
for those that are trying to log in to ssh that should not or
abusing other services. I notices that there are still a lot of bad
logins to root. So I checked the IP that was shown in the login
against the ipset, when it was added to the ipset (I have my own log
for that.) and when the IP last tried to connect using ssh. The IP,
61.174.51.194, is in the ipset.
# ipset test blacklist_ipv4_current 61.174.51.194
61.174.51.194 is in set blacklist_ipv4_current.
The IP was added to blacklist_ipv4_current Wed Jul 16 09:00:02 EDT 2014.
But when I check /var/log/security, the IP attempted 152 logins
after being added to the blacklist set.
Jul 16 09:00:03 joe sshd[9778]: Failed password for root from
61.174.51.194 port 16973 ssh2
Jul 16 09:00:03 joe sshd[9778]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:00:03 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:06 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:09 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:10 joe sshd[10148]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:10 joe sshd[10148]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:00:12 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:12 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:15 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:16 joe sshd[9800]: Failed password for root from
61.174.51.194 port 23297 ssh2
Jul 16 09:00:16 joe sshd[9800]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:00:17 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:19 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:23 joe sshd[10157]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:23 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:23 joe sshd[10157]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:00:25 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:25 joe sshd[10148]: Failed password for root from
61.174.51.194 port 25999 ssh2
Jul 16 09:00:25 joe sshd[10148]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:00:28 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:33 joe sshd[10165]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:33 joe sshd[10165]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:00:34 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:35 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:36 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:37 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:38 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:39 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:40 joe sshd[10157]: Failed password for root from
61.174.51.194 port 28861 ssh2
Jul 16 09:00:40 joe sshd[10157]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:00:43 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:45 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:48 joe sshd[10165]: Failed password for root from
61.174.51.194 port 31156 ssh2
Jul 16 09:00:48 joe sshd[10165]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:00:50 joe sshd[10179]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:51 joe sshd[10179]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:00:52 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:00:53 joe sshd[10183]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:00:54 joe sshd[10183]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:00:55 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:00:55 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:00:57 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:00:58 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:00 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:02 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:01:03 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:06 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:08 joe sshd[10183]: Failed password for root from
61.174.51.194 port 36219 ssh2
Jul 16 09:01:08 joe sshd[10183]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:01:12 joe sshd[10227]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:12 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:01:12 joe sshd[10227]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:01:14 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:14 joe sshd[10179]: Failed password for root from
61.174.51.194 port 35507 ssh2
Jul 16 09:01:14 joe sshd[10179]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:01:17 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:19 joe sshd[10234]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:19 joe sshd[10234]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:01:19 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:22 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:22 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:24 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:24 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:27 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:27 joe sshd[10227]: Failed password for root from
61.174.51.194 port 40562 ssh2
Jul 16 09:01:27 joe sshd[10227]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:01:29 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:32 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:34 joe sshd[10246]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:34 joe sshd[10246]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:01:35 joe sshd[10234]: Failed password for root from
61.174.51.194 port 41984 ssh2
Jul 16 09:01:35 joe sshd[10234]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:01:36 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:39 joe sshd[10252]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:39 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:41 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:43 joe sshd[10252]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:01:44 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:45 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:48 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:48 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:50 joe sshd[10246]: Failed password for root from
61.174.51.194 port 45039 ssh2
Jul 16 09:01:50 joe sshd[10246]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:01:52 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:54 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:54 joe sshd[10266]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:01:55 joe sshd[10266]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:01:57 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:57 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:01:59 joe sshd[10252]: Failed password for root from
61.174.51.194 port 46605 ssh2
Jul 16 09:01:59 joe sshd[10252]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:02:00 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:03 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:03 joe sshd[10275]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:04 joe sshd[10275]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:02:05 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:06 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:08 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:11 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:13 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:15 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:16 joe sshd[10266]: Failed password for root from
61.174.51.194 port 49978 ssh2
Jul 16 09:02:16 joe sshd[10266]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:02:18 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:21 joe sshd[10275]: Failed password for root from
61.174.51.194 port 51942 ssh2
Jul 16 09:02:21 joe sshd[10275]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:02:23 joe sshd[10504]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:23 joe sshd[10504]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:02:25 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:27 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:28 joe sshd[10509]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:28 joe sshd[10509]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:02:30 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:31 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:33 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:33 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:35 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:36 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:39 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:39 joe sshd[10504]: Failed password for root from
61.174.51.194 port 55562 ssh2
Jul 16 09:02:39 joe sshd[10504]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:02:41 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:43 joe sshd[10509]: Failed password for root from
61.174.51.194 port 56553 ssh2
Jul 16 09:02:43 joe sshd[10509]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:02:43 joe sshd[10525]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:44 joe sshd[10525]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:02:46 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:47 joe sshd[10529]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:02:48 joe sshd[10529]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:02:49 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:50 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:02:51 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:53 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:02:54 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:55 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:02:57 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:58 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:02:59 joe sshd[10525]: Failed password for root from
61.174.51.194 port 2338 ssh2
Jul 16 09:02:59 joe sshd[10525]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:03:00 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:03:03 joe sshd[10529]: Failed password for root from
61.174.51.194 port 3233 ssh2
Jul 16 09:03:03 joe sshd[10529]: PAM 5 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:03:05 joe sshd[10545]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:03:06 joe sshd[10545]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:03:08 joe sshd[10550]: reverse mapping checking
getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
<http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn>
[61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 09:03:09 joe sshd[10545]: Failed password for root from
61.174.51.194 port 6642 ssh2
Jul 16 09:03:09 joe sshd[10550]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
Jul 16 09:03:11 joe sshd[10550]: Failed password for root from
61.174.51.194 port 7538 ssh2
Jul 16 09:03:11 joe sshd[10545]: Failed password for root from
61.174.51.194 port 6642 ssh2
Jul 16 09:03:11 joe sshd[10545]: PAM 1 more authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=61.174.51.194 user=root
My ipset ellipsized is:
Name: blacklist_ipv4_permanent
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 126760
References: 1
Members:
200.74.162.237
96.237.146.189
190.21.141.207
201.116.227.194
...
77.234.3.95
218.63.121.5
203.184.192.216
70.115.3.109
74.55.63.194
221.5.86.42
122.25.33.18
190.95.242.142
85.250.14.160
Name: blacklist_ipv4_semipermanent
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 67304
References: 1
Members:
123.30.182.178
50.195.85.69
116.10.191.213
61.174.51.200
79.191.202.21
61.174.51.211
46.130.133.139
...
116.10.191.174
23.81.27.114
61.174.51.230
61.174.51.233
188.165.212.171
103.9.91.6
Name: blacklist_ipv4_current
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 66152
References: 1
Members:
61.174.51.213
85.25.242.234
85.25.150.52
61.233.233.124
211.234.100.203
221.179.191.36
85.25.139.52
221.179.89.90
61.233.76.135
116.10.191.208
61.174.51.194
61.174.51.197
94.156.77.46
85.25.129.28
37.157.187.125
116.10.191.203
85.25.176.135
54.237.87.185
85.25.176.103
61.234.146.22
198.211.30.115
200.30.85.115
59.63.167.174
61.19.247.71
85.25.139.28
183.129.228.45
116.10.191.195
85.25.99.108
216.146.33.22
85.25.144.37
216.146.33.50
Name: blacklist_ipv6_permanent
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65656
References: 1
Members:
Name: blacklist_ipv6_semipermanent
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65656
References: 1
Members:
Name: blacklist_ipv6_current
Type: hash:ip
Revision: 2
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65656
References: 1
Members:
Name: blacklist
Type: list:set
Revision: 2
Header: size 8
Size in memory: 112
References: 0
Members:
blacklist_ipv4_permanent
blacklist_ipv4_semipermanent
blacklist_ipv4_current
blacklist_ipv6_permanent
blacklist_ipv6_semipermanent
blacklist_ipv6_current
There are a total of 8616 IPs in blacklist_ipv4_permanent,
blacklist_ipv4_semipermanent, and blacklist_ipv4_current. No
addresses in any ipv6 set yet.
My /etc/firewalld/direct.xml file is a symbolic link to
../../root/ipFilter/lib/direct.xml and the selinux context is:
# l -Z direct.xml ../../root/ipFilter/lib/direct.xml
lrwxrwxrwx. root root
unconfined_u:object_r:firewalld_etc_rw_t:s0 direct.xml ->
../../root/ipFilter/lib/direct.xml
-rw-r-----. root root
unconfined_u:object_r:firewalld_etc_rw_t:s0
../../root/ipFilter/lib/direct.xml
The /etc/firewalld/direct.xml is:
# /etc/firewalld/direct.xml:
<direct>
<!-- IPset Blacklisting -->
<chain ipv="ipv4" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m
limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP:
--log-level 6</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING -m set
--match-set blacklist src -j PREROUTING_blacklist</passthrough>
<chain ipv="ipv6" table="raw"
chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m
limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP:
--log-level 6</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING -m set
--match-set blacklist src -j PREROUTING_blacklist</passthrough>
</direct>
When I open firewall-config, there is nothing under the Direct tab.
I am using firewalld-0.3.10-1.fc20.noarch.
I sure would appreciate some guidance to what may be wrong.
John
On 01/25/2014 08:27 AM, Anthony Messina wrote:
> On Saturday, January 25, 2014 07:42:48 AM John Griffiths wrote:
>> I may be entirely wrong in my observation, so please correct me where I
>> am wrong.
>>
>> I observe that firewalld is very flexible and powerful and will add and
>> delete IPs without having to restart. Zones may be switched on the fly.
>> The code is changing at a rapid pace. And, what seems to be a big one to
>> me, there are more than one way to do something.
>>
>> Having more than one way to configure essentially the same operation
>> seems to me would add to the code complexity. Complexity often leads to
>> code maintenance issues. Not saying there are any. Complexity leads to
>> user confusion such as I am having now. Rapidly developing code causes
>> documentation lag; one reason this list is so valuable.
>>
>> I am a developer professionally. If I am having issues understanding,
>> then how about someone who is strictly a user? Maybe no one else has the
>> issue of over 8000 IPs being dropped at the firewall, but I certainly do
>> and I am finding it hard to address with my understanding of firewalld.
>>
>> Thanks to the developers for the hard work. Hope someone with first hand
>> knowledge of the development can set me straight.
> John, I'm not sure if this may be of help to you, but I was also trying to
get
> firewalld to work nicely with ipset for the use of blacklisting. Here are
> some examples that I use. (Lines are likely wrapped):
>
> # /etc/firewalld/direct.xml:
> <direct>
> <!-- IPset Blacklisting -->
> <chain ipv="ipv4" table="raw"
chain="PREROUTING_blacklist"/>
> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m
limit --limit
> 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set
--match-set blacklist
> src -j PREROUTING_blacklist</passthrough>
> <chain ipv="ipv6" table="raw"
chain="PREROUTING_blacklist"/>
> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m
limit --limit
> 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set
--match-set blacklist
> src -j PREROUTING_blacklist</passthrough>
> </direct>
>
>
> The thing to remember with the above configuration is that you must add the
> dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if
> PREROUTING_blacklist doesn't yet exist.
>
>
> I have also created a systemd ipset.service file that will reload previously
> saved ipset rules on boot and save them on shutdown:
>
> #/etc/systemd/system/ipset.service
> [Unit]
> Description=ipset - IP set restore & save
> Documentation=man:ipset(8)
> Before=network.target firewalld.service iptables.service ip6tables.service
> ConditionFileNotEmpty=/etc/sysconfig/ipset.save
>
> [Service]
> Type=oneshot
> ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore
> ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save
> RemainAfterExit=yes
> StandardOutput=journal+console
> UMask=0177
>
> [Install]
> WantedBy=basic.target
>
>
> The way I did this was to create a minimal ipset configuration and execute
> '/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules
are
> stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
>
> My initial ipset.save without any ip addresses added looks like:
>
> create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536
> create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536
> create blacklist list:set size 8
> add blacklist blacklist_ipv4
> add blacklist blacklist_ipv6
>
> Then do 'systemctl enable ipset && systemctl start ipset'
>
> Together, the additions to the direct.xml configuration and the ipset.service
> have allowed me to add or remove ip addresses from the blacklist without the
> worry of what happens upon restart, etc.
>
> -A
>
>
>
> _______________________________________________
> firewalld-users mailing list
> firewalld-users(a)lists.fedorahosted.org
<mailto:firewalld-users@lists.fedorahosted.org>
> https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
<mailto:firewalld-users@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
3565
days inactive
3745
days old
firewalld-users@lists.fedorahosted.org
28 comments
9 participants
participants (9)
-
Anthony Joseph Messina -
Jiri Popelka -
John Griffiths -
Jorge Fábregas -
Laine Stump -
Nathanael D. Noblet -
poma -
Randy Fitzgerald -
Thomas Woerner