While checking on something else today, I noticed a peculiarly high amount of failed login attempts from a couple of similar IP addresses.

Querying the last few days' logs I found that this has been happening from some time from a range of IP addresses that I found are coming from Hong Kong. I checked both of my Internet exposed servers and found that both had been similarly attempted in the last week or so.

The logs confirmed that they were coming into an expected-to-be open service (SSH--and it gets used it all the time), so I couldn't so easily just shut down that service. I could, however, very easily cut off their IP addresses using the firewall filtering rules.

I hopped onto my management console and added their CIDR to my firewall rules as REJECTED. Take that hackers. I'm sure I have the occasional legitimate user in China and its provinces (yeah, right), but they'd be coming in through port 80 anyway, which has its own security. Nonetheless, I just cut off the whole range from accessing the whole machine.

While in there, I noticed that the port I was using to get to the admin tool wasn't allowed, and I hadn't reconfigured my browser to use my active SSH session to forward the port, either. A quick review of the rules showed that one of the rules allowed any NEW connection. Whoops. I removed that bit of the rule, restarted the firewall, and was rewarded by a rejection of my system to that port. A quick flip of the proxy and the page politely reloaded.

Most seemed good. Quick testing is required to make sure it actually works.

I re-un-configured my browser's proxy, shut it down, and launched it again. I could correctly get to the allwoed ports, and correctly could not get to the blocked ports. As Borat might say, "very nice." It should be the case that there won't be any more Hong Kong attacks; well, not directly from their IPs anyway.

I then saved and copied the firewall configuration to the other system. I tweaked the file in a manner that I thought was correct for its configuration; it has two Ethernet adapters, one of which is attached directly to the Internet, and it is identified differently than the Ethernet port in the other server. I tickled the firewall to read the new configuration and was immediately denied access.

Whoops. At least that one is simply my desktop in my home office. It is, unfortunately, my daily gateway to resources not on this or other blogs or in other files on this server. At least I have easy console access so I'll fix that when I get home.

I feel a little better having done my little part to stop the weak attempt to access my system by unauthorized users.