Setting up a new VPS with almalinux.
I've set up firewalld with the following settings
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http https
ports: 80/tcp 443/tcp 7822/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Why is there still failed log in attempts logged in /var/log/secure when the ports they are connecting to are closed?
Apr 15 14:11:57 server sshd[46737]: Failed password for root from 148.113.133.177 port 43582 ssh2
Apr 15 14:11:57 server sshd[46737]: Received disconnect from 148.113.133.177 port 43582:11: Bye Bye [preauth]
Apr 15 14:12:15 server sshd[46743]: Invalid user chenyoumin from 27.254.149.199 port 60384
Apr 15 14:12:15 server sshd[46743]: pam_unix(sshd:auth): check pass; user unknown
Apr 15 14:12:15 server sshd[46743]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=27.254.149.199
When i try to ssh in to the server with a random port:
ssh -p 50645 root@server.com
it returns:
ssh: connect to host server.com port 50645: No route to host
And nothing is logged in /var/log/secure.
Update
I've disabled firewalld and enabled nftables. I've loading in the following rule set
table inet firewall {
chain inbound_ipv4 {
}
chain inbound_ipv6 {
icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
}
chain inbound {
type filter hook input priority filter; policy drop;
ct state vmap { invalid : drop, established : accept, related : accept }
iifname "lo" accept
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
tcp dport { 80, 443, 7822 } accept
}
chain forward {
type filter hook forward priority filter; policy drop;
}
}
table inet f2b-table {
set addr-set-sshd {
type ipv4_addr
elements = { 45.89.110.110 }
}
chain f2b-chain {
type filter hook input priority filter - 1; policy accept;
meta l4proto { tcp } ip saddr @addr-set-sshd reject
}
}
Now this seems to work fine. any attempt to ssh to a port other than 7822 just hangs, and there are no entries in the logs.
But I am still seeing brute force attempts from bots in the logs. How are they doing this and how do I stop it? Do they somehow have these connections open before the rules were applied? How can I drop these connections without restarting the VPS?
Apr 16 14:30:39 server sshd[61577]: pam_unix(sshd:auth): check pass; user unknown
Apr 16 14:30:39 server sshd[61577]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.39.133.250
Apr 16 14:30:41 server sshd[61577]: Failed password for invalid user user from 103.39.133.250 port 48096 ssh2
Apr 16 14:30:46 server sshd[61580]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.156.239.10 user=root
Apr 16 14:30:49 server sshd[61580]: Failed password for root from 43.156.239.10 port 40702 ssh2
Apr 16 14:30:58 server sshd[61583]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=165.22.96.129 user=root
Apr 16 14:31:00 server sshd[61583]: Failed password for root from 165.22.96.129 port 49100 ssh2
Apr 16 14:31:14 server sshd[61586]: Invalid user user from 43.156.82.82 port 36394
Apr 16 14:31:14 server sshd[61586]: pam_unix(sshd:auth): check pass; user unknown
Apr 16 14:31:14 server sshd[61586]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.156.82.82
Apr 16 14:31:16 server sshd[61586]: Failed password for invalid user user from 43.156.82.82 port 36394 ssh2
Apr 16 14:31:18 server sshd[61589]: Invalid user ubuntu from 213.190.4.134 port 36238
Apr 16 14:31:18 server sshd[61589]: pam_unix(sshd:auth): check pass; user unknown
Apr 16 14:31:18 server sshd[61589]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.190.4.134
Apr 16 14:31:20 server sshd[61589]: Failed password for invalid user ubuntu from 213.190.4.134 port 36238 ssh2
