To block the bad guys, it helps to correctly specify all the addresses

* * * * *

To block the bad guys, it helps to correctly specify all the addresses

Back when I had some server issues [1] I took the time to have the hosting
company modify the main firewall to allow all ssh traffic to my server
instead of from a fixed set of IP (Internet Protocol) addresses. There had
been some times in the recent past (like when the DSL (Digital Subscriber
Line) connection goes down and I can't log into the server) where that would
have been a Good Thing™. The change went through, and as long as I have an
ssh key (no passwords allowed) I can log in from anywhere.

Now, I run my own syslog daemon [2] and one of its features is the ability to
scan logs in real time and do things based on what it sees, like blocking IP
addresses on failed ssh attempts [3]. I do this on my home system and have
currently blocked over 2,300 IP addresses (over the past 30 days—after said
time the blocks are removed to keep the firewall from “filling up” so to
speak). I enabled this feature on my server about a week ago and … it didn't
work.

I could see entries being added to the firewall, but the attempts from some
“blocked” IP addresses kept happening. It took me some time, but I spotted
the problem—I was blocking 0.0.0.0 instead of 0.0.0.0/0. The former says
“match the exact IP address of 0.0.0.0” (which is not a valid IP address on
the Internet) while the later says “match all IP addresses.”

Sigh.

Once spotted, it was an easy fix. Then I noticed that the failed log message
differed a bit between my home system and the server, so I had to fix the
parser a bit to account for the differences. Hopefully, that should be it.

[1] gopher://gopher.conman.org/0Phlog:2020/01/02.1
[2] https://github.com/spc476/syslogintr
[3] https://github.com/spc476/syslogintr/blob/master/modules/ssh-iptables.lua

Email author at [email protected]