Thursday, April 02, 2020
To block the bad guys, it helps to correctly specify all the addresses
Back when I had some server issues I took the time to have the hosting company modify the main firewall to allow all ssh traffic to my server instead of from a fixed set of IP addresses.
There had been some times in the recent past
(like when the DSL connection goes down and I can't log into the server)
where that would have been a Good Thing™.
The change went through,
and as long as I have an ssh key
(no passwords allowed) I can log in from anywhere.
Now,
I run my own syslog daemon and one of its features is the ability to scan logs in real time and do things based on what it sees,
like blocking IP addresses on failed ssh attempts.
I do this on my home system and have currently blocked over 2,300 IP addresses
(over the past 30 days—after said time the blocks are removed to keep the firewall from “filling up” so to speak).
I enabled this feature on my server about a week ago and … it didn't work.
I could see entries being added to the firewall,
but the attempts from some “blocked” IP addresses kept happening.
It took me some time, but I spotted the problem—I was blocking 0.0.0.0 instead of 0.0.0.0/0.
The former says “match the exact IP address of 0.0.0.0”
(which is not a valid IP address on the Internet)
while the later says “match all IP addresses.”
Sigh.
Once spotted, it was an easy fix. Then I noticed that the failed log message differed a bit between my home system and the server, so I had to fix the parser a bit to account for the differences. Hopefully, that should be it.
