Block IP if it connects to port 22

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















How can I effectively (so do it fast when talking about firewall level and can do it with many-many IP's) block an IP address for a given time, ex.: a month if it tried to contact port 22 TCP in any manner, so port check, connect via ssh, etc.



How can I do it with iptables, OpenBSD pf?



The main idea is that SSHD is running on a non-default port and with this blocking method, we could harden our protection without any extra software.



It should block the IP with DROP, not RFC REJECT



UPDATE: I mean it should do it automatically. I don't want to give every IP address manually.










share|improve this question



















  • 1





    I do not think blocking random IPs connecting to a port is the best of the ideas, and not over a long time. The iptables list can become rather long, and also running an SSHD in a different port is accounted for by many bots nowadays. Granted, less bad agents will find it. I do prefer to not expose SSH ports to the Internet, and use VPNs to get to ssh. Do not forget to use fail2ban applied to the port where the real service is running.

    – Rui F Ribeiro
    Mar 2 '16 at 11:47


















0















How can I effectively (so do it fast when talking about firewall level and can do it with many-many IP's) block an IP address for a given time, ex.: a month if it tried to contact port 22 TCP in any manner, so port check, connect via ssh, etc.



How can I do it with iptables, OpenBSD pf?



The main idea is that SSHD is running on a non-default port and with this blocking method, we could harden our protection without any extra software.



It should block the IP with DROP, not RFC REJECT



UPDATE: I mean it should do it automatically. I don't want to give every IP address manually.










share|improve this question



















  • 1





    I do not think blocking random IPs connecting to a port is the best of the ideas, and not over a long time. The iptables list can become rather long, and also running an SSHD in a different port is accounted for by many bots nowadays. Granted, less bad agents will find it. I do prefer to not expose SSH ports to the Internet, and use VPNs to get to ssh. Do not forget to use fail2ban applied to the port where the real service is running.

    – Rui F Ribeiro
    Mar 2 '16 at 11:47














0












0








0


1






How can I effectively (so do it fast when talking about firewall level and can do it with many-many IP's) block an IP address for a given time, ex.: a month if it tried to contact port 22 TCP in any manner, so port check, connect via ssh, etc.



How can I do it with iptables, OpenBSD pf?



The main idea is that SSHD is running on a non-default port and with this blocking method, we could harden our protection without any extra software.



It should block the IP with DROP, not RFC REJECT



UPDATE: I mean it should do it automatically. I don't want to give every IP address manually.










share|improve this question
















How can I effectively (so do it fast when talking about firewall level and can do it with many-many IP's) block an IP address for a given time, ex.: a month if it tried to contact port 22 TCP in any manner, so port check, connect via ssh, etc.



How can I do it with iptables, OpenBSD pf?



The main idea is that SSHD is running on a non-default port and with this blocking method, we could harden our protection without any extra software.



It should block the IP with DROP, not RFC REJECT



UPDATE: I mean it should do it automatically. I don't want to give every IP address manually.







iptables pf






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 2 '16 at 11:01







nyipeter

















asked Mar 2 '16 at 9:29









nyipeternyipeter

12




12







  • 1





    I do not think blocking random IPs connecting to a port is the best of the ideas, and not over a long time. The iptables list can become rather long, and also running an SSHD in a different port is accounted for by many bots nowadays. Granted, less bad agents will find it. I do prefer to not expose SSH ports to the Internet, and use VPNs to get to ssh. Do not forget to use fail2ban applied to the port where the real service is running.

    – Rui F Ribeiro
    Mar 2 '16 at 11:47













  • 1





    I do not think blocking random IPs connecting to a port is the best of the ideas, and not over a long time. The iptables list can become rather long, and also running an SSHD in a different port is accounted for by many bots nowadays. Granted, less bad agents will find it. I do prefer to not expose SSH ports to the Internet, and use VPNs to get to ssh. Do not forget to use fail2ban applied to the port where the real service is running.

    – Rui F Ribeiro
    Mar 2 '16 at 11:47








1




1





I do not think blocking random IPs connecting to a port is the best of the ideas, and not over a long time. The iptables list can become rather long, and also running an SSHD in a different port is accounted for by many bots nowadays. Granted, less bad agents will find it. I do prefer to not expose SSH ports to the Internet, and use VPNs to get to ssh. Do not forget to use fail2ban applied to the port where the real service is running.

– Rui F Ribeiro
Mar 2 '16 at 11:47






I do not think blocking random IPs connecting to a port is the best of the ideas, and not over a long time. The iptables list can become rather long, and also running an SSHD in a different port is accounted for by many bots nowadays. Granted, less bad agents will find it. I do prefer to not expose SSH ports to the Internet, and use VPNs to get to ssh. Do not forget to use fail2ban applied to the port where the real service is running.

– Rui F Ribeiro
Mar 2 '16 at 11:47











2 Answers
2






active

oldest

votes


















1














You could use fail2ban or similar software, with a custom rule that blocked any IP address that tries to connect to port 22.



fail2ban manages automated blocking of hosts making unwanted connections (based on all sorts of criteria, including number of connection attempts, error messages in specific log files, attempts to fetch a particular URL, or pretty nearly anything you can think of and write a script to test for) as well as automated expiry of such blocks.



fail2ban is available packaged for most/all linux distros, and the home page is at: http://www.fail2ban.org/






share|improve this answer






























    0














    Block Incoming Request From IP 1.2.3.4



    The following command will drop any packet coming from the IP address 1.2.3.4:



    /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port PORT-NUMBER-HERE -s IP-ADDRESS-HERE -j DROP


    Example port 22:



    /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP


    Block outcoming



    /sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port PORT-NUMBER-HERE -s IP-ADDRESS-HERE -j DROP


    Example port 22:



    /sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP





    share|improve this answer


















    • 1





      I updated the question.

      – nyipeter
      Mar 2 '16 at 11:02











    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f267006%2fblock-ip-if-it-connects-to-port-22%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    You could use fail2ban or similar software, with a custom rule that blocked any IP address that tries to connect to port 22.



    fail2ban manages automated blocking of hosts making unwanted connections (based on all sorts of criteria, including number of connection attempts, error messages in specific log files, attempts to fetch a particular URL, or pretty nearly anything you can think of and write a script to test for) as well as automated expiry of such blocks.



    fail2ban is available packaged for most/all linux distros, and the home page is at: http://www.fail2ban.org/






    share|improve this answer



























      1














      You could use fail2ban or similar software, with a custom rule that blocked any IP address that tries to connect to port 22.



      fail2ban manages automated blocking of hosts making unwanted connections (based on all sorts of criteria, including number of connection attempts, error messages in specific log files, attempts to fetch a particular URL, or pretty nearly anything you can think of and write a script to test for) as well as automated expiry of such blocks.



      fail2ban is available packaged for most/all linux distros, and the home page is at: http://www.fail2ban.org/






      share|improve this answer

























        1












        1








        1







        You could use fail2ban or similar software, with a custom rule that blocked any IP address that tries to connect to port 22.



        fail2ban manages automated blocking of hosts making unwanted connections (based on all sorts of criteria, including number of connection attempts, error messages in specific log files, attempts to fetch a particular URL, or pretty nearly anything you can think of and write a script to test for) as well as automated expiry of such blocks.



        fail2ban is available packaged for most/all linux distros, and the home page is at: http://www.fail2ban.org/






        share|improve this answer













        You could use fail2ban or similar software, with a custom rule that blocked any IP address that tries to connect to port 22.



        fail2ban manages automated blocking of hosts making unwanted connections (based on all sorts of criteria, including number of connection attempts, error messages in specific log files, attempts to fetch a particular URL, or pretty nearly anything you can think of and write a script to test for) as well as automated expiry of such blocks.



        fail2ban is available packaged for most/all linux distros, and the home page is at: http://www.fail2ban.org/







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Mar 3 '16 at 2:13









        cascas

        39.5k455103




        39.5k455103























            0














            Block Incoming Request From IP 1.2.3.4



            The following command will drop any packet coming from the IP address 1.2.3.4:



            /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port PORT-NUMBER-HERE -s IP-ADDRESS-HERE -j DROP


            Example port 22:



            /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP


            Block outcoming



            /sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port PORT-NUMBER-HERE -s IP-ADDRESS-HERE -j DROP


            Example port 22:



            /sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP





            share|improve this answer


















            • 1





              I updated the question.

              – nyipeter
              Mar 2 '16 at 11:02















            0














            Block Incoming Request From IP 1.2.3.4



            The following command will drop any packet coming from the IP address 1.2.3.4:



            /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port PORT-NUMBER-HERE -s IP-ADDRESS-HERE -j DROP


            Example port 22:



            /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP


            Block outcoming



            /sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port PORT-NUMBER-HERE -s IP-ADDRESS-HERE -j DROP


            Example port 22:



            /sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP





            share|improve this answer


















            • 1





              I updated the question.

              – nyipeter
              Mar 2 '16 at 11:02













            0












            0








            0







            Block Incoming Request From IP 1.2.3.4



            The following command will drop any packet coming from the IP address 1.2.3.4:



            /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port PORT-NUMBER-HERE -s IP-ADDRESS-HERE -j DROP


            Example port 22:



            /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP


            Block outcoming



            /sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port PORT-NUMBER-HERE -s IP-ADDRESS-HERE -j DROP


            Example port 22:



            /sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP





            share|improve this answer













            Block Incoming Request From IP 1.2.3.4



            The following command will drop any packet coming from the IP address 1.2.3.4:



            /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port PORT-NUMBER-HERE -s IP-ADDRESS-HERE -j DROP


            Example port 22:



            /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP


            Block outcoming



            /sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port PORT-NUMBER-HERE -s IP-ADDRESS-HERE -j DROP


            Example port 22:



            /sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port 22 -s 1.2.3.4 -j DROP






            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Mar 2 '16 at 10:02









            GAD3RGAD3R

            27.9k1958114




            27.9k1958114







            • 1





              I updated the question.

              – nyipeter
              Mar 2 '16 at 11:02












            • 1





              I updated the question.

              – nyipeter
              Mar 2 '16 at 11:02







            1




            1





            I updated the question.

            – nyipeter
            Mar 2 '16 at 11:02





            I updated the question.

            – nyipeter
            Mar 2 '16 at 11:02

















            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f267006%2fblock-ip-if-it-connects-to-port-22%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?