I've noticed from time to time, that fail2ban just craps out, so, this might be of interest to the community assuming you use <a href="http://192.168.100.0/24">192.168.100.0/24</a> on your network<br><br><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 12"><meta name="Originator" content="Microsoft Word 12"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CAdmin%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml"><link rel="themeData" href="file:///C:%5CDOCUME%7E1%5CAdmin%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx"><link rel="colorSchemeMapping" href="file:///C:%5CDOCUME%7E1%5CAdmin%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml"><style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:-1610611985 1073750139 0 0 159 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:10.0pt;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<p class="MsoNormal">iptables -A INPUT -s <a href="http://192.168.100.0/24">192.168.100.0/24</a> -j ACCEPT <br></p>
<p class="MsoNormal">iptables -A INPUT -s carrierip.x.x.x -j ACCEPT</p>
<p class="MsoNormal"></p>iptables -A INPUT -s 127.0.0.1 -j ACCEPT
<p class="MsoNormal"></p><p class="MsoNormal">iptables -A INPUT -p udp -m udp -s carrierip.x.x.x
--destination-port 5060 -j ACCEPT</p><p class="MsoNormal">iptables -A INPUT -p udp -m udp -s carrierip.x.x.x
--destination-port 10000:20000 -j ACCEPT</p><p class="MsoNormal">iptables -A INPUT -p udp -m udp --destination-port 5060 -j
DROP</p>
<p class="MsoNormal"></p><p class="MsoNormal">iptables -A INPUT -p udp -m udp --destination-port
10000:20000 -j DROP</p><p class="MsoNormal">iptables -A INPUT -p udp -m udp --destination-port 4000:4999
-j DROP</p>
<p class="MsoNormal"></p><p class="MsoNormal">iptables -A INPUT -p udp -m udp --destination-port 4569 -j
DROP</p>
<p class="MsoNormal"></p><p class="MsoNormal">iptables -A INPUT -p tcp -m tcp --destination-port 5038 -j
DROP</p>
<p class="MsoNormal"></p><p class="MsoNormal">iptables -A INPUT -p tcp -m tcp --destination-port 22 -j
DROP</p>
<p class="MsoNormal"></p><p class="MsoNormal">iptables -A INPUT -p udp -m udp --destination-port 22 -j
DROP</p>
<p class="MsoNormal"></p><p class="MsoNormal">iptables -A OUTPUT -o eth0 -p all -j ACCEPT</p>
<p class="MsoNormal"></p><p class="MsoNormal">iptables -A OUTPUT -o eth1 -p all -j ACCEPT</p>
<p class="MsoNormal"></p><p class="MsoNormal">iptables -A INPUT -i eth0 -p all -j ACCEPT</p>
<p class="MsoNormal"></p><p class="MsoNormal">iptables -A INPUT -i eth1 -p all -j ACCEPT</p>
<p class="MsoNormal"></p><p class="MsoNormal">iptables -P INPUT DROP</p>
<br><br><div class="gmail_quote">2010/7/2 Jonathan González <span dir="ltr"><<a href="mailto:jonathan.gsc@gmail.com">jonathan.gsc@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Same activity from these IPs:<br>174.129.137.135<br>89.35.123.12<br>209.20.66.234<br>184.73.30.42<br>184.73.44.61<br>87.106.187.137<br>194.44.244.187<br>203.55.198.100<br>209.76.47.11<br>94.74.229.229<br>93.184.79.59<br>
209.62.53.242<div>
<div></div><div class="h5"><br>
<br><br><br><div class="gmail_quote">On Thu, Jul 1, 2010 at 10:56 PM, Jamie A. Stapleton <span dir="ltr"><<a href="mailto:jstapleton@computer-business.com" target="_blank">jstapleton@computer-business.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p>The IP 69.175.35.186 has just been banned by Fail2Ban
after 293 attempts against our server.</p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;">
<a href="mailto:asterisk-users-bounces@lists.digium.com" target="_blank">asterisk-users-bounces@lists.digium.com</a>
[mailto:<a href="mailto:asterisk-users-bounces@lists.digium.com" target="_blank">asterisk-users-bounces@lists.digium.com</a>] <b>On Behalf Of </b>John Timms<br>
<b>Sent:</b> Thursday, July 01, 2010 11:32 AM<br>
<b>To:</b> Asterisk Users Mailing List - Non-Commercial Discussion<br>
<b>Subject:</b> Re: [asterisk-users] Brute force attacks</span></p>
</div><div><div></div><div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">On Thu, Jul 1, 2010 at 9:16 AM, Ishfaq Malik <<a href="mailto:ish@pack-net.co.uk" target="_blank">ish@pack-net.co.uk</a>> wrote:</p>
<div>
<blockquote style="border-width: medium medium medium 1pt; border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color rgb(204, 204, 204); padding: 0in 0in 0in 6pt; margin-left: 4.8pt; margin-right: 0in;">
<div>
<p class="MsoNormal">Hi<br>
<br>
We've just noticed attempts (close to 200000 attempts, sequential peer numbers)
at guessing peers on 2 of out servers and thought I'd share the originating IPs
with the list in case anyone wants to firewall them as we have done<br>
<br>
109.170.106.59<br>
112.142.55.18<br>
124.157.161.67<br>
<br>
Ish</p>
<div>
<p class="MsoNormal">-- <br>
<span style="color: black;">Ishfaq Malik<br>
Software Developer<br>
PackNet Ltd<br>
<br>
Office: 0161 660 3062</span></p>
</div>
</div>
<p class="MsoNormal"><br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a></p>
</blockquote>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;">We
have noticed the same sort of activity on our server.
The originating IP addresses attempting access were:</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;"> </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;">204.9.204.145
(hosted at U.S. Colo, I believe)</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;">91.203.132.149
(Nephax)</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;">130.70.157.186
(University of Louisiana)</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;">61.160.121.46
(Chinanet)</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;">109.170.0.10
(ReasonUP Ltd)</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;"> </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt;">--<br>
John Timms <br>
IT Department - Gnoso Inc.<br>
<a href="mailto:john@gnoso.com" target="_blank"><span style="color: rgb(0, 0, 204);">john@gnoso.com</span></a><br>
<span style="color: rgb(136, 136, 136);">--</span></span></p>
</div>
</div>
</div></div></div>
</div>
<br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div><br><br clear="all"><br><br>
</div></div><br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div><br><br clear="all"><br>-- <br>Matthew Desbiens<br>//* EOF *//<br>