Setting up nft to block unwanted IPs, does not block those IPs
by mdixon from LinuxQuestions.org on (#6JAR9)
I recently set up a new server, with Ubuntu 22.04.1 with all service applied, so I am now:
Code:$ uname -a
Linux dogbert 6.5.0-15-generic #15~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 12 18:54:30 UTC 2 x86_64 x86_64 x86_64 GNU/LinuxI found my /var/log/auth.log is flooded with thousands of entries such as:
Code:Feb 2 10:04:13 dogbert sshd[93682]: Failed password for root from [naughtyIp] port 49892 ssh2
Feb 2 10:04:14 dogbert sshd[93682]: Received disconnect from [naughtyIp] port 49892:11: Bye Bye [preauth]
Feb 2 10:04:14 dogbert sshd[93682]: Disconnected from authenticating user root [naughtyIp] port 49892 [preauth]So I built a set of NFT rules to include the most egregious offenders and then ran:
Code:sudo nft -f dropfile.nft
sudo nft list rulesetThat list command shows the following, which is what I expected:
Code:table ip filter {
chain INPUT {
iifname "lo" accept
ip saddr [naughtyIp1] counter packets 0 bytes 0 drop
...
ip saddr [naughtyIp] counter packets 0 bytes 0 drop
...
ip saddr [naughtyIpnnn] counter packets 0 bytes 0 drop
}
}However, when I check /var/log/auth.log a few minutes after setting up this NFT filter, I find new entries like those above for [naughtyIp] timestamped several minutes after I set the NFT in place.
Can anyone tell me why my approach failed to filter out these unwanted connection attempts and how I can do it correctly?
Code:$ uname -a
Linux dogbert 6.5.0-15-generic #15~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 12 18:54:30 UTC 2 x86_64 x86_64 x86_64 GNU/LinuxI found my /var/log/auth.log is flooded with thousands of entries such as:
Code:Feb 2 10:04:13 dogbert sshd[93682]: Failed password for root from [naughtyIp] port 49892 ssh2
Feb 2 10:04:14 dogbert sshd[93682]: Received disconnect from [naughtyIp] port 49892:11: Bye Bye [preauth]
Feb 2 10:04:14 dogbert sshd[93682]: Disconnected from authenticating user root [naughtyIp] port 49892 [preauth]So I built a set of NFT rules to include the most egregious offenders and then ran:
Code:sudo nft -f dropfile.nft
sudo nft list rulesetThat list command shows the following, which is what I expected:
Code:table ip filter {
chain INPUT {
iifname "lo" accept
ip saddr [naughtyIp1] counter packets 0 bytes 0 drop
...
ip saddr [naughtyIp] counter packets 0 bytes 0 drop
...
ip saddr [naughtyIpnnn] counter packets 0 bytes 0 drop
}
}However, when I check /var/log/auth.log a few minutes after setting up this NFT filter, I find new entries like those above for [naughtyIp] timestamped several minutes after I set the NFT in place.
Can anyone tell me why my approach failed to filter out these unwanted connection attempts and how I can do it correctly?