Here's someone doing a bruteforce attack on my server for several days now, each time through a different external IP address (hundreds so far) but always through the same I assume local IP address: 192.168.2.33
Question is, is there a way to create an iptable rule to block by that specific internal IP address regardless of its external IP address used? I've tried blocking that IP directly in CSF but to no avail.
2014-08-07 11:44:05 dovecot_login authenticator failed for ([192.168.2.33]) [109.233.105.3]:54006: 535 Incorrect authentication data (set_id=david)
2014-08-07 11:44:15 dovecot_login authenticator failed for ([192.168.2.33]) [109.233.105.3]:54006: 535 Incorrect authentication data (set_id=david)
2014-08-07 11:44:32 dovecot_login authenticator failed for ([192.168.2.33]) [109.233.105.3]:54006: 535 Incorrect authentication data (set_id=david)
2014-08-07 15:52:11 dovecot_login authenticator failed for ([192.168.2.33]) [211.147.18.84]:64810: 535 Incorrect authentication data (set_id=josh)
2014-08-07 15:52:17 dovecot_login authenticator failed for ([192.168.2.33]) [211.147.18.84]:64810: 535 Incorrect authentication data (set_id=josh)
Best Answer
I just had exactly this same problem. Iptables is a good idea, but you can also use hosts.[allow|deny], which I find is a little easier.
Example
Particularly strict example -- whitelist only. First deny everything:
And the allow rules:
Also, this is a good article:
http://www.debian-administration.org/article/87/Keeping_SSH_access_secure