Blocking rule using network alias
-
After the alias I use to block bad IP addresses would not allow anymore
entries of IP addresses, I decided to make a second alias to continue adding
more IP addresses as I find them trying to hack my websites or SSH hacking.
I discovered that the second list was not blocking the IP's because they continued
to show up in my logs or failtoban emails. I also noticed that China IP's were
the majority of the failtoban reports, so I tried making a network alias and added
the IP's in /8 format. ie. 218.2.0.0/8 Again, I was still getting SSH bans for IP's
in that range. I did reset the state table after adding these aliases.Anyone have any idea why this might be happening?
The version of pfSense is 1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009
-
218.2.0.0/8 is not a valid subnet - that would be 218.0.0.0/8 (if you are really intending to block the whole of 218)
You do not mention it, but I guess you added firewall rule/s to WAN to block using the alias as source?
That should work fine on 1.2.3 - but there are good support reasons to move to V2.1, not too many people can remember 1.2.3 any more ;) -
Woops.
I had several 61.x.0.0/16 were x are different octects such as 147, 155 etc.
and 60.x.0.0/16. I had changed them to 61.0.0.0/8 and 60.0.0.0/8 then recently
added that 218.2.0.0/8 were I used 8 by mistake rather than /16. Incidently, I
was still receiving failtoban reports for 60.x.x.x and 61.x.x.x anyhow before adding
the 218.2.0.0. I was getting so many different 60.x.x.x and 61.x.x.x that I was trying
to see if changing it to a /8 would eliminate all 60 and 61 which it had not. This lead
me to believe that the block rule was not working for what ever reason. My original
block alias worked until it stopped accepting new entries. I guess there is a limit on
the number of individual entries an alias can contain.When ever there is a large hit on the spam bot population, ssh attacks rise, primarily
from China. I don't want to block China entirely, just the IP's used to probe for ssh
servers to hack.I had considered upgrading to V2.x a while back, but it was still in beta and I have
two wans and two lans, so I chose to stick with the one I have that took quite a while
to get to work like I wanted.