Бан Китайских IP

Всем привет! Подскажите как правильно заблокировать китайские Ip я решгулярно вижу в логах такое:

authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.101.206.56 user=root
Dec 3 10:48:33 Zhytomyr sshd[18369]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ns398995.ip-37-59-43.eu user=root
Dec 3 10:50:12 Zhytomyr sshd[18374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=162.243.50.8 user=root
Dec 3 10:50:27 Zhytomyr sshd[18376]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=232.ip-51-77-194.eu user=root
Dec 3 10:50:59 Zhytomyr sshd[18378]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.234.6.147 user=root
Dec 3 10:51:38 Zhytomyr sshd[18380]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ns398995.ip-37-59-43.eu user=root
Dec 3 10:52:16 Zhytomyr sshd[18382]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.101.206.56 user=root
Dec 3 10:53:42 Zhytomyr sshd[18384]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=232.ip-51-77-194.eu user=root
Dec 3 10:53:58 Zhytomyr sshd[18387]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=162.243.50.8 user=root
Dec 3 10:54:16 Zhytomyr sshd[18389]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.234.6.147 user=root
Dec 3 10:54:39 Zhytomyr sshd[18391]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ns398995.ip-37-59-43.eu user=root
Dec 3 10:55:11 Zhytomyr sshd[18393]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=111.229.76.117 user=root
Dec 3 10:55:57 Zhytomyr sshd[18396]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.101.206.56 user=root
Dec 3 10:57:01 Zhytomyr sshd[18398]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=232.ip-51-77-194.eu user=root
Dec 3 10:57:38 Zhytomyr sshd[18403]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ns398995.ip-37-59-43.eu user=root
Dec 3 10:57:40 Zhytomyr sshd[18401]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.234.6.147 user=root
Dec 3 10:57:57 Zhytomyr sshd[18405]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=162.243.50.8 user=root
Dec 3 10:58:37 Zhytomyr sshd[18407]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=194.44.172.146 user=root
Dec 3 10:58:42 Zhytomyr sshd[18409]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=111.229.76.117 user=root
Dec 3 10:59:38 Zhytomyr sshd[18413]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.101.206.56 user=root
Dec 3 11:00:07 Zhytomyr sshd[18415]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.92.111.227 user=root
Dec 3 11:00:17 Zhytomyr sshd[18417]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=232.ip-51-77-194.eu user=root
Dec 3 11:00:31 Zhytomyr sshd[18419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ns398995.ip-37-59-43.eu user=root
Dec 3 11:00:36 Zhytomyr sshd[18421]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.234.6.147 user=root
Dec 3 11:01:25 Zhytomyr sshd[18423]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=101.69.200.162 user=root
Dec 3 11:01:57 Zhytomyr sshd[18425]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=162.243.50.8 user=root
Dec 3 11:02:15 Zhytomyr sshd[18427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=111.229.76.117 user=root
Dec 3 11:03:27 Zhytomyr sshd[18429]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.101.206.56 user=root
Dec 3 11:03:32 Zhytomyr sshd[18432]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ns398995.ip-37-59-43.eu user=root
Dec 3 11:03:36 Zhytomyr sshd[18434]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=232.ip-51-77-194.eu user=root
Dec 3 11:03:50 Zhytomyr sshd[18436]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.234.6.147 user=root
Dec 3 11:05:48 Zhytomyr sshd[18438]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=111.229.76.117 user=root
Dec 3 11:06:29 Zhytomyr sshd[18441]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ns398995.ip-37-59-43.eu user=root
Dec 3 11:06:38 Zhytomyr sshd[18443]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=162.243.50.8 user=root
Dec 3 11:06:49 Zhytomyr sshd[18445]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=232.ip-51-77-194.eu user=root
Dec 3 11:06:56 Zhytomyr sshd[18447]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.234.6.147 user=root

Хотелось бы эти пулы забанить. может кто-то имеет практику?

банил вот так set firewall group address-group cheater address 129.213.98.196…но они прям плодятся…и уже с других ай пи снова запросы идут.

Нашел на просторах такой ресурс (https://www.okean.com/china.txt), но что-то не хочется виос принимать такую запись set firewall group address-group cheater address 221.122.0.0 - 221.123.255.255

vyos@Zhytomyr# set firewall group address-group cheater address 221.122.0.0-221.123.255.200

  Error: address range must be within 221.122.0.0/24

  Value validation failed
  Set failed

The error message shows that it must be in the same address segment 221.122.0.0/24, and you may have crossed multiple 221.122.0.0/24 networks

Why you just not allow access from certain networks?
Any reason you need to keep ssh open to the world?

1 Like

Much better to whitelist than attempt to blacklist all bad-things-on-the-internet ™

SSH security rules are divided into whitelist and blacklist. Both have their meaning in different scenarios. For example, fail2ban uses blacklist mechanism to defend.

Agreed. In this situation where a specific service is required that gives access to high priv on the router then white-listing is the better approach to take.

I remember that the firewall of vyos can set up interception or release on the port